imap question

Louis LeBlanc freebsd at keyslapper.org
Mon Feb 23 18:28:19 PST 2004 

On 02/23/04 08:29 PM, stan sat at the `puter and typed:
> On Mon, Feb 23, 2004 at 08:02:22PM -0500, Louis LeBlanc wrote:
> > On 02/23/04 07:38 PM, stan sat at the `puter and typed:
> > > I'm trying to help a firend of mine get an imap server running on one of
> > > his FreeBSD 4.9 STABLE machines.
> > > 
> > > We have built the UW imapd port, and installed it. However we seem to be
> > > habing a bit of a problem making it work. 
> > > 
> > > Tha man page, and the docs (which I only found in the ports work directory
> > > for some reason, don't they get installed somewhere?) All seem to agree,
> > > that it shoud "juts work" However in our case it does not :-(
> > > 
> > > Cruently we are gettin error messages like this in /var/log/mailog:
> > > 
> > > maillog.0:Feb 22 19:40:26 ops2 imapd[59881]: Unable to load certificate
> > > from /usr/local/certs/imapd.pem, host=router.XXX.net [192.168.2.1]
> > > 
> > > As you can see, this box is located on a DMZ, behin an OpenBSD firweall
> > > (running pf). WE have that box redirecting port 993 to teh FreeBSD box
> > > running imap.
> > > 
> > > What am I missing here?
> > 
> > You can't really accept secure connections without an SSL certificate.
> > Check the docs to find the details, but you probably want the OpenSSL
> > docs as well to tell you how to create an SSL key and PEM cert.  The
> > path provided in the error message tells you where the cert is
> > expected to be.  Chances are that if you check the imapd.conf you'll
> > also see where the key should be placed.
> 
> Sorry I wasn't clear here.
> 
> The _is_ a certificate there. Created (I assume by the port build process).
> However it seesm that since the packes are being redirected _from_ th
> router (OpenBSD) box, imapd wan'ts the certificate to be _for_ the router
> box.
> 
> Any ideas how to fix this?

Ah.  Well, if imapd wants the cert to be for the router, remake it for
the router.  Check the OpenSSL docs.  It's not as complicated as it
will seem at first.  Cyrus doesn't really care what the cert is for,
but I guess if UW does, you might want to check the configs to make
sure the hostname doesn't need reconfiguring.

> > Unless you have it configured to block or simply not accept regular
> > IMAP connections, you might be able to connect on port 143, if you
> > just redirect that port.  Only problem is your connection won't be
> > secure.
> 
> And the passwords will be passed in the clear, right?

Yup.

> Might as well use POP, correct?

Yes and no.  POP is fine if you only ever check mail from one system.
Otherwise, imap is more appropriate.  Security is a separate issue
altogether when you look at it this way.

Good luck.

Lou
-- 
Louis LeBlanc               leblanc at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

Rudin's Second Law:
  In a crisis that forces a choice to be made among alternative courses
  of action, people tend to choose the worst possible course.

More information about the freebsd-questions mailing list