First off, Pine rocks when it comes to reading mail quickly, particularly on a server where a GUI is not available. Second of all, it often doesn’t come with GNU/Linux distributions anymore. I suppose that part of the problem is that pine includes a version of IMAP that can cause problems if it coexists with the various one-size-fits-all approach to IMAP, cough, cyrus. I often wish to simply set up webmail over SSL, yet allow direct transfer to a location, like an office via a NATed address to get to the straight IMAPS server. Often, the SSL cert is self-signed, since it is simply to encrypt mail, not used for ordering, so many of the webmail packages have problems with this. By using Xinetd, I can control what hosts connect from where, and assign special binaries to the services. UW IMAP works well for this. What we need to do this is an IMAP binary with SSL support, and one without. It appears at first glance that after the new version of pine came out in response to this vulnerability, that IMAP now wants to run with no unencrypted plaintext if SSL is available. Besides all that, the binary is smaller without the SSL code. In this article we will compile pine/IMAP for both SSL and plaintext/no SSL, and configure xinetd to provide both IMAP locally and IMAPS for an external client(s).
We are compiling and configuring this on a CentOS / Red Hat v 4 system. Grab the source and use options at the build line that point to your ssl cert directory:
[pine4.64]# ./build SSLCERTS=/cpath/conf/ssl.crt/ SSLINCLUDE=/usr/include/openssl/ slx make args are CC=cc 'SSLCERTS=/cpath/conf/ssl.crt/' 'SSLINCLUDE=/usr/include/openssl/' slx File /cpath/conf/ssl.crt//factory.pem is missing This might indicate that CA certs did not get properly installed. If you get certificate validation failures in Pine, this might be the reason for them. Including SSL functionality Making c-client library, imapd, and ipopd . . . Links to executables are in bin directory: text data bss dec hex filename 3690194 290728 692280 4673202 474eb2 bin/pine 655356 8280 2752 666388 a2b14 bin/mtest 690604 8368 67476 766448 bb1f0 bin/imapd 201730 5208 2744 209682 33312 bin/pico 199385 5048 2776 207209 32969 bin/pilot 843131 12556 4428 860115 d1fd3 bin/rpdump 844995 12556 4428 861979 d271b bin/rpload 652844 8272 1724 662840 a1d38 bin/mailutil 650518 8276 2752 661546 a182a bin/ipop2d 655024 8272 1888 665184 a2660 bin/ipop3d Done [pine4.64]# [pine4.64]# cd bin [bin]# cp imapd /usr/sbin [bin]# |
We are using a self-signed SSL cert for Apache; however, this can be copied to imapd.pem, which IMAPD expects. The certs aren’t really different. Just replace cpath, etc., with the path to your Apache certs. We also need a non-SSL version of IMAP:
[pine4.64]# [pine4.64]# make clean ./build clean make args are CC=cc clean Cleaning c-client and imapd make[1]: Entering directory `/usr/local/src/pine4.64/imap' Removing old processed sources and binaries... sh -c 'rm -rf an ua OSTYPE SPECIALS c-client mtest imapd ipopd mailutil . . . [pine4.64]# [pine4.64]# ./build SSLTYPE=none slx make args are CC=cc slx Making c-client library, imapd, and ipopd eval make CC=cc SSLTYPE=none SPECIALS= slx make sslnone make[1]: Entering directory `/usr/local/src/pine4.64/imap' make[1]: `sslnone' is up to date. make[1]: Leaving directory `/usr/local/src/pine4.64/imap' Applying an process to sources... tools/an "ln -s" src/c-client c-client tools/an "ln -s" src/ansilib c-client . . . GS` Links to executables are in bin directory: text data bss dec hex filename 3681257 290448 692248 4663953 472a91 bin/pine 646166 8032 2720 656918 a0616 bin/mtest 681446 8088 67444 756978 b8cf2 bin/imapd 201730 5208 2744 209682 33312 bin/pico 199385 5048 2776 207209 32969 bin/pilot 833898 12276 4396 850570 cfa8a bin/rpdump 835794 12276 4396 852466 d01f2 bin/rpload 643686 7992 1692 653370 9f83a bin/mailutil 641332 7996 2720 652048 9f310 bin/ipop2d 645834 7992 1856 655682 a0142 bin/ipop3d Done [pine4.64]# cp bin/imapd /usr/sbin/imapdnossl |
Set up xinetd:
[root@imaptest ~]# tail -n 6 /etc/xinetd.d/imaps server = /usr/sbin/imapd log_on_success += HOST DURATION log_on_failure += HOST disable = no only_from = 66.44.55.1 } [root@imaptest ~]# [root@imaptest ~]# tail -n 6 /etc/xinetd.d/imap server = /usr/sbin/imapdnossl log_on_success += HOST DURATION log_on_failure += HOST disable = no only_from = 127.0.0.1 } [root@imaptest ~]# |
The only_from line is the key, here. 66.44.55.1 is the NATed office address that uses regular email clients over SSL, and 127.0.0.1 is for the web mail program that authenticates with plaintext. Note that you should only do this via a web mail app that runs over SSL. That is, configure SSL for Apache, and only allow the webmail app to run from https://blah. Restart xinetd:
[root@imaptest ~]# /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@imaptest ~]# |
Here are the IMAP settings we use for Squirrel Mail:
IMAP Settings -------------- 4. IMAP Server : localhost 5. IMAP Port : 143 6. Authentication type : login 7. Secure IMAP (TLS) : false 8. Server software : uw |
Make sure that in /var/log/maillog, that when you check mail from the web and from a remote client, that the right binary is running via xinetd:
Jan 13 17:06:14 main imapdnossl[11728]: imap service init from 127.0.0.1 Jan 13 17:06:14 main imapdnossl[11728]: Login user=sslmail host=localhost.localdomain [127.0.0.1] Jan 13 17:06:14 main imapdnossl[11728]: Logout user=sslmail host=localhost.localdomain [127.0.0.1] Jan 13 17:06:54 main imapd[11734]: imaps SSL service init from 66.44.55.1 Jan 13 17:06:54 main imapd[11734]: Login user=mailuser host=[66.44.55.1] Jan 13 17:06:54 main imapd[11734]: Logout user=mailuser host=[66.44.55.1] |
