How to use an IMAPS server with CAMAS.
Written by Olivier Warin (daffy@xview.net)
This paper does not cover the installation of your mail server nor the caudium/camas one.
Please refer to appropriate documentation.
You need two software, the first one will create the TCP connexion over SSL with the mail server and the second will bind your client to a TCP port so that CAMAS can etablish the connexion to your SSL aware server over that tunnel. There are several methods to make this; all are very similary.
* The quick and ugly way: Install socket (http://www.jnickelsen.de/socket/) and run the following command as root.
# socket -p 'openssl s_client -host your.imap.server -p 993' -slv 143
* The recommanded one, by using inetd. Thus, you can use all the facilities inetd has to offer. Simply add this line to your /etc/inetd.conf:
192.168.0.254:143 stream tcp nowait root /usr/sbin/openssl openssl s_client -host your.imap.server -port 993
Please read inetd.conf(5) for more information.
And restart inetd: # kill -HUP `pgrep inetd`
* My prefered version ;) Hping is a powerfull network tool
Then verify that things work correctly by « telneting » to the host running socket(1) or the config
ured inetd.
You should see something like this:
Trying 192.168.0.254...
Connected to kristina.
Escape character is '^]'.
depth=0 /C=FR/ST=Paris/O=Association Kazar/OU=Mail Services/CN=*.oav.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FR/ST=Paris/O=Association Kazar/OU=Mail Services/CN=*.oav.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FR/ST=Paris/O=Association Kazar/OU=Mail Services/CN=*.oav.net
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000004)
---
Certificate chain
0 s:/C=FR/ST=Paris/O=Association Kazar/OU=Mail Services/CN=*.oav.net
i:/O=Association Kazar/OU=CA Division/emailAddress=kiwi@oav.net/L=Paris/ST=Paris/C=FR/CN=Kazar Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICaTCCAdICAQEwDQYJKoZIhvcNAQEEBQAwgZQxGjAYBgNVBAoTEUFzc29jaWF0
aW9uIEthemFyMRQwEgYDVQQLEwtDQSBEaXZpc2lvbjEbMBkGCSqGSIb3DQEJARYM
a2l3aUBvYXYubmV0MQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UECBMFUGFyaXMxCzAJ
BgNVBAYTAkZSMRYwFAYDVQQDEw1LYXphciBSb290IENBMB4XDTAzMTExNDE0MTky
NloXDTA0MTExMzE0MTkyNlowZTELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlz
MRowGAYDVQQKExFBc3NvY2lhdGlvbiBLYXphcjEWMBQGA1UECxMNTWFpbCBTZXJ2
aWNlczESMBAGA1UEAxQJKi5vYXYubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCx2MCLpzrRh8RpFn0d2BUZ3/6CHOZnU6Z/8ozwYhF2t2RrO2a9LeCoTWos
825aCa9YVeRCUE+JIHdQCLfcQ54BpEDiY9Izv4LxBJ27zg+RSPLPPVqmUSUmdK9a
KjrS0gQCrUMOrJ4CkJrSd+IJtbPCvQz1C1igkyi9QluZh1iidwIDAQABMA0GCSqG
SIb3DQEBBAUAA4GBAIERGaaFHrfOohWnTExLfV9DdtQWktf+YjbI3O+w1IhM2aRj
x1FYUqPI/n2PcfuTaQeLAWYkQIBwqYyhZnNsiflcWIQSIFxYxPNDOV/wIlyrxIC/
Eh+EAGukNC+FAdXdAwNQq5jvgwwGhSNCNOMEmdyj1WhkFXM1Y6XapT5UFW7E
-----END CERTIFICATE-----
subject=/C=FR/ST=Paris/O=Association Kazar/OU=Mail Services/CN=*.oav.net
issuer=/O=Association Kazar/OU=CA Division/emailAddress=kiwi@oav.net/L=Paris/ST=Paris/C=FR/CN=Kazar Root CA
---
No client certificate CA names sent
---
SSL handshake has read 783 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F651559E73573606F175BAEF702FE5B14E490DB46874584D7F1E492C92CFEAA1
Session-ID-ctx:
Master-Key: 93695E09D3AB2F25A24A794F6089DB71D88F28BC2A17F9303DB8816382C971562AF87646DC3779082B91ACB121C7E3AC
Key-Arg : None
Start Time: 1077400254
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.
* NO Error in IMAP command received by server.
#
closed
Finnaly, fire up a web browser, connect to CIF and go to your virtual server configuration, enter your Auth Method -> IMAP Basic and set IMAP server & IMAP server port matching your values.
Enjoy ! :)