netbsd-help: qpopper/openssl/netbsd issue?

Subject: qpopper/openssl/netbsd issue?
To: None <Netbsd-help@NetBSD.org>
From: Michael G. Schabert <mikeride@mac.com>
List: netbsd-help
Date: 01/08/2004 01:27:19
Hi guys,
I'm playing around with using SSL with qpopper on a DEC AS200 running 
NetBSD 1.6Z (I'll be updating soon). I'm using the stock qpopper from 
pkgsrc & have been running it forever (it's Qpopper version 4.0.5 
(non-standalone)...not sure what the "non-standalone" means).

I followed the steps in qpopper's FAQ to use openssl commands to 
create a cert request, then self-sign the request.

/etc/inetd.conf has
qpopper -t /tmp/qpopper.log -f /usr/pkg/etc/qpopper.config

as the pop3 command (the log is just temporary for testing this).

My /usr/pkg/etc/qpopper.config file is:

set tls-support = stls
set tls-server-cert-file = /usr/pkg/etc/qpopper-mail.cert/cert.pem
set tls-options = 0x00000800
set clear-text-password = tls

I'm using Eudora 5.1 on MacOS as my MUA. In Eudora, I already had it 
checked to use APOP for POP3 authentication. In the SSL section, I 
changed the POP setting to "Optional (TLS)" so it'll do the STLS.

So Qpopper should be set up to allow anyone to connect provided they 
use EITHER APOP OR SSL, but at least one must be used (no straight 
clear-text).

When Eudora tries to connect using the account I told to use SSL, I 
end up getting:

-ERR [AUTH] You must use stronger authentication such as AUTH or APOP 
to connect to this server

If I change Eudora to "none" under the SSL section (as it was 
before), everything goes fine, so I know APOP works fine without SSL. 
But when Eudora advertises it can do SSL, then it looks like APOP is 
bypassed and qpopper doesn't like that. If I leave Eudora using SSL 
but change my qpopper.config so that it allows clear-text-passwords 
(always), then everything goes through fine...but then of course 
someone could connect via pure-clear-text instead of SSL-filtered 
text (as it's currently a dial-up machine I'm playing with, it's no 
biggie, but it's not good practice ;).

So it seems that the "clear-text-password = tls" is not being honored 
by qpopper, which is causing my ills. Any thoughts or advice?

I also have imap-uw-2002.2 on the machine as an IMAP server, so I can 
always just switch the inetd.conf to point to pop3d instead of 
qpopper, but I'd been running qpopper for years before throwing IMAP 
into the mix & it would be nice to get a resolution to this issue 
with qpopper anyway :).

Thanks in advance,
Mike
-- 
Bikers don't *DO* taglines.