Author Topic: Secure Mail Server Issues  (Read 80130 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Secure Mail Server Issues
« Reply #45 on: January 15, 2005, 02:24:41 PM »
Yildi, I'm frustraded with Stunnel... I can't have make it work...
I can't install, can't find a 'complete' package to download anymore...  :'(
The best things in life are free.

yildi

  • Guest
FAQ: ThunderBird - Spamhilator-Avast-Stunnel
« Reply #46 on: January 15, 2005, 03:13:32 PM »
Good news,

ThunderBird - Spamhilator-Avast-Stunnel pour GMail
and
ThunderBird - Spamhilator-Avast for non SSL POP

both work now and also SecureSMTP for GMail.

My problems was due to the fact that I have missed the new working scheme of Avast 4.5 for simple POP...

Let me draft some sort of a FAQ following my recent experience.

A/ Installing and preparing STUNNEL

Download OPENSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html and install it.
Download STUNNEL for WIndows from http://www.stunnel.org/download/binaries.html. This an exe file and you can place it on any specific folder (eg. in C:\stunnel).
In the folder where you have copied stunnel, you will create its configuration file.

So launch your notepad and type the following (adapt it if necessary) in a blank document:

Code: [Select]
# We're running as a client to SSLify the GMail POP connection
client=yes

# POP3 service, listens on localhost:11110
[gmail-pop3s]
accept=127.0.0.1:11110
connect=pop.gmail.com:995 #or the SSL port of your Secure POP server if you use another service.

# SMTP service, listens on localhost:11025
[gmail-smtps]
accept=localhost:11025
connect=smtp.gmail.com:465 #or the SSL port of your Secure SMTP server if you use another service.
Save this file in the same folder as the stunnel exe under the name stunnel.conf

Open a windows command window and switch to the folder where stunnel has been placed.
Execute the following command to launch stunnel as a Windows service (you will hence be able to stop or manage it using the standard windows console for services):
stunnelexecutablename -install

stunneexecutablename will be something like stunnel-4.07 (depends on the version you download, 4.07 is the actual stable version)

Now you will observe a new icon (something like a network folder) in the right taskbar and if you double click on the icon, you will be able to open the log window (nothing very interesting will be visible for now). If you have made an error in the configuration file, stunnel will refuse to be launched. In this case check the syntax (comparing with the above one) and the ports numbers of your service.

Now we can configure the mail client.

B/ Setting the mail client.

I will assume that you have two kind of POP accounts,  one normal (toto@myserver.com) and one secured (toto2@gmail.com).
I will also assume that your SPAM filter uses the port 120 (like SPAMILATOR) if not, adapt the following instructions.

Configuring the normal POP account.

Server: localhost Port: 120 (for spamilator, adapt it for the port listened by your filter)
username: pop.myserver.com&toto  (this is format used by SPAMI, if your filter expects another scheme please adapt it)

Configuring the secure POP account
Server: localhost Port: 120 (for spamilator, adapt it for the port listened by your filter)
username: localhost&toto2&11110 

(this is format used by SPAMILATOR, if your filter expects another scheme please adapt it - the last element is the port number that will be listened by STUNNEL - and  also by AVAST, see below - in order to be converted to a  SSL flow toward pop.gmail.com, as specified in stunnel.conf)

Setting the secure SMTP for GMail:

Server: localhost  Port: 11025  (the port listened by STunnel and  by AVAST -see below)
User name: toto2

The setting of the normal SMTP is... normal.

We have a last configuration to do.

C/ Setting Avast.ini

As you probably know, this file sits in avastfolder\data subfolder.
You open it in the Notepad and locate and edit (and complete) the following section (leave the rest of the settings as such, I only give here the settings that you should modify; we will just add the ports to listen and the listeneing of these ports on the locahost - IgnoreLocalhost=0):
Code: [Select]
[MailScanner]
PopRedirectPort=110,1110,1120,11110
SmtpRedirectPort=25,215,225,1025,11025
IgnoreLocalhost=0
AutoRedirect=1
You save this file and now you must now be able to check all your accounts (the first time your mail client will ask you your passwords for the secure connections).

Tell me if this is understandable and if it works for you.

Good luck.

Murat
« Last Edit: January 15, 2005, 03:19:21 PM by yildi »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Secure Mail Server Issues
« Reply #47 on: January 15, 2005, 03:52:35 PM »
I'm troubleshotting this... It'll take some time...  8)

Continuing...
« Last Edit: January 15, 2005, 06:30:54 PM by Technical »
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Secure Mail Server Issues
« Reply #48 on: January 26, 2005, 01:58:04 AM »
I'll give up...  :(
Maybe on March I'll take it again  :-[
It does not work for me... I can't login into GMail...
The best things in life are free.

ling2

  • Guest
Re: Secure Mail Server Issues
« Reply #49 on: February 22, 2005, 03:50:10 AM »
Hello!

Yildi's FAQ is very good reference for me and those who want to use Stunnel to connect secure POP/IMAP/SMTP servers. Without it, I couldn't have set up my computer to do that. Thank you very much, yildi! Yildi's config, however, didn't work on me very well, and I needed to change a few things in the config. I think the changes I'd made might help some people to troubleshoot.
Added: I manually set up the email protection when I wrote this. This configuration can only work for those who manually set it up. If you use avast!4.6 or newer on Windows XP (probably on Win NT, 2000, or 2003 as well), you can't manually set it up any more. I guess if you use on Win 95, 98, or Me, you still can or need to manually set it up.

(1) In the stunnel.conf
(A) It seems like in the stunnel.conf, to comment a line out, you can use "#" or ";" only at its beginning. Therefore you should remove or move to the next line newly created yildi's comments "#or the SSL port of your Secure POP/SMTP server if you use another service."

(B) Added: If you use the TLS connection, you need to add "protocol = smtp" for the SMTP/TLS connection, and "protocol = pop3" for the POP/TLS connection.
I added "protocol = smtp" like:
Added: e.g. As Gmail's secure POP connection is the SMTP/TLS connection, you need to define the protocol for the connection as SMTP like this:
Code: [Select]
[gmail-smtps]
protocol = smtp
accept = localhost:11025
connect = smtp.gmail.com:587
Currently Google Help says the secure SMTP port is 587. I don't think you should add "protocol = pop3" for the secure POP connection. When I tried doing that, I could log in but couldn't retrieve new e-mails from my POP server.
Added: If you use the SSL connection, you shouldn't define the protocol.
e.g. As Gmail uses the POP/SSL connection, you shouldn't add the definition "protocol = pop3" for the Gmail POP connection.

Code: [Select]
[gmail-pop3s]
accept = 127.0.0.1:11110
connect = pop.gmail.com:995

(2) In the avast.ini
I think that in Pop/Smtp/ImapRedirectPort you should put only the ports where you want avast! to scan emails. For example, if you want emails to go through your email client, Spamihilator, avast!, and Stunnel or directly your remote mail server in this order, you should set in Pop/Smtp/ImapRedirectPort only the ports you use between Spamihilator and avast!. The RedirectPorts are those where avast! scans emails, not those where the servers avast! connects listen. Therefore basically you should set in Pop/Smtp/ImapRedirectPort only the ports where avast! listens, which are the same as you've set in Pop/Smtp/ImapListen.

If those above don't help you fix your problem in the email connection, you should try out the following, too.

(3) In the avast.ini again
You shouldn't set any value for IgnoreLocalhost. Remove the item or leave its value blank.


(4) In your email client's settings
If you don't set any value for IgnoreLocalhost in the avast.ini, you need to set in your email client's settings Spamihilator's, avast!'s, and Stunnel's locations and ports where they listen, for the secure connection, and Spamihilator's, avast!'s, and your POP/SMTP/IMAP servers' locations and ports where they listen, for the normal connection. For example, if you access your email client, Spamihilator, avast!, Stunnel, and your remote mail server in this order to connect the secure server, you should set in your email client the following:
mail server
127.0.0.1
(Sure you can set "localhost" for this as yildi does, too. This is Spamihilator's location.)
mail server's port
the port where Spamihilator listens
username
127.0.0.1&username#127.0.0.1:the port where Stunnel listens&the port where avast! listens
(The first "127.0.0.1" is avast!'s location. The second 127.0.0.1 is Stunnel's location.  "Mail server&username&port" is the format Spamihilator requires. "Username#mail server:port" is the format avast! requires.)

As I don't use Spamihilator, the settings in my email client are less complicated than what I've shown in (4), but all above are the changes I made. I hope the setting example in (4) will work fine for those who use Spamihilator. Wish you luck!

Added: If this configuration doesn't work, you should set the value of "IgnoreLocalhost" as 0 in the avast.ini file. Because you've manually defined what ports avast! should listens and scans, avast! can scan without the setting "IgnoreLocalhost = 1" what it has to.

PS: I posted this just before I updated avast! to 4.6. The information in this post can be applied to avast!4.5, not to avast!4.6. To see my rough explanation about the configuration for avast!4.6, go to http://forum.avast.com/index.php?topic=8775.msg96725#msg96725.
I'm sorry for this mess.

« Last Edit: February 22, 2005, 10:26:38 PM by ling2 »

sded

  • Guest
Re: Secure Mail Server Issues
« Reply #50 on: February 22, 2005, 05:12:01 AM »
Couple of observations.
1) If I set IgnoreLocalHost to blank, my incoming mail no longer gets scanned by Avast! (verification message goes away).
2) I am able to send mail through Stunnel using smtp to port 587, but when I try to scan it in Avast! along the way I get a "server is not RFC2487 compliant" error message in Stunnel and don't understand why .
Maybe I'll look at it some more tomorrowl.

sded

  • Guest
Re: Secure Mail Server Issues
« Reply #51 on: February 22, 2005, 05:20:37 AM »
BTW, I am not using gmail but an ISP smtp server that uses port 25 for TLS secure smtp.

sded

  • Guest
Re: Secure Mail Server Issues
« Reply #52 on: February 22, 2005, 05:45:07 AM »
S---!  Problem was a typo.  I put in 10025 instead of 11025.  If I enter 127.0.0.1 and 11025 into the client (Thunderbird), tell Avast! to watch 11025, Stunnel to watch 25 and connect to 587 all works.  But still need IgnoreLocalHost=0 .  Thanks for letting us know about 587; 465 didn't work for me.  So now a FAQ for doing secure scanning with Stunnel for both POP3 and SMTP.

ling2

  • Guest
Re: Secure Mail Server Issues
« Reply #53 on: February 22, 2005, 07:06:34 AM »
My workaround worked fine with avast!4.5. I've just updated avast! to 4.6 and found a few things changed.

[1] Avast! 4.6 doesn't seem to accept the setting in your mail client such as "username#mailserver:port". Therefore (3) and (4) in my workaround posted above don't work any more. (2) has to be revised, too. (Refer to the information below [2].)

[2] In Resident task settings for Internet Mail in avast!4.6 you can set redirect ports and decide if avast! should ignore local communication or not. (Up to avast!4.5, you had to open the avast.ini file and set the values for Pop/Smtp/ImapRedirectPort and IgnoreLocalhost if you wanted to set them.) In the Redirect tab in Resident task settings for Internet Mail, you should uncheck "Ignore local communication" and set up the redirected ports. When you do that, the values will be written in the avast.ini file.
I think, if you get your email to go through your mail client, Spamihilator, avast!, Stunnel, and your remote mail server in this order, you need to set as the redirected port the port where Stunnel listens. If you get your email to go through your mail client, Spamihilator, avast!, and your remote mail server in this order, you need to set as the redirected port the port where your remote mail server listens, that is, your mail server's port.

[3] In avast!4.6 the default listen ports seem to be 12110 for POP, 12025 for SMTP, 12143 for IMAP, and 12119 for NNTP, or the standard ports for all protocols (110 for POP, 25 for SMTP, 143 for IMAP, 119 for NNTP). You might change them in the avast.ini file if you need to. You can't manipulate these values through Resident task settings. If you set up the listen ports before updating to avast!4.6, the ports you've set seem not to be changed in updating. (But the listen port for NNTP was never set before, so it was set as 12119 when I updated avast! and restarted my computer.)

I have to change my settings now because I've used "username#mailserver:port" style settings. Anyway, you need to set 0 as the value for "IgnoreLocalhost" in avast!4.6, I believe.

I will post a better explanation later.
« Last Edit: February 22, 2005, 10:42:07 AM by ling2 »

ling2

  • Guest
Re: Secure Mail Server Issues
« Reply #54 on: February 22, 2005, 07:47:26 AM »
Quote from: sded
BTW, I am not using gmail but an ISP smtp server that uses port 25 for TLS secure smtp.
S---!  Problem was a typo.  I put in 10025 instead of 11025.  If I enter 127.0.0.1 and 11025 into the client (Thunderbird), tell Avast! to watch 11025, Stunnel to watch 25 and connect to 587 all works.  But still need IgnoreLocalHost=0 .  Thanks for letting us know about 587; 465 didn't work for me.  So now a FAQ for doing secure scanning with Stunnel for both POP3 and SMTP.
As I wrote in the previous post, you need "IgnoreLocalhost=0" in the avast.ini file. (Only when you want to manually set up your email protection in avast!4.5 or under, you need to set the value of "IgnoreLocalhost" as 0.)

In avast!4.6 you can uncheck "Ignore local communication" in Resident task settings for Internet Mail, which set the value for IgnoreLocalhost as 0.

If you don't use Gmail and your ISP's SMTP server listens on (=use) the port 25, you can't and shouldn't use the port 587. You should write in the stunnel.conf file like this:
Code: [Select]
[yourISP-smtps]
protocol = smtp
accept = localhost:11025
connect = yourISP'sSMTPservername:25
Please don't use the port 587 in any setting.

465 is the default port for the SMTP/SSL connection, but some services use other ports for the connection.

When you use the SMTP/TLS connection,  you need to put "protocol = smtp" in the stunnel.conf file. When you use the SMTP/SSL connection, you shouldn't.

(I guess when you use the POP/TLS connection, you need to put "protocol = pop3" in the stunnel.conf file, and that when you use the POP/SSL connection, you shouldn't, as well.)

According to you, your ISP uses the SMTP/TLS connection as does Gmail. As another example, AOL uses SMTP/SSL connection. (If you need the information on AOL's IMAP/SMTP SSL support, go to http://journals.aol.com/adamkb/blog/entries/386.)
« Last Edit: February 22, 2005, 11:29:03 AM by ling2 »

sded

  • Guest
Re: Secure Mail Server Issues
« Reply #55 on: February 22, 2005, 03:11:59 PM »
Convention seems to follow Outlook Express for many US ISPs.  Haven't used AOL.  POP3 mail is SSL on port 995, SMTP is TLS on port 25, which OE call SSL.  If you use Thunderbird, you need to indicate TLS not SSL for SMTP to work .  SMTP works  for my ISP with either 25 or 587 as the port in stunnel.conf.  Now using

# We're running as a client to SSLify the POP/SMTP connections
client=yes

# POP3 service, listens on localhost:11110
[xxxx-pop3s]
accept=localhost:11110
connect=mail.xxxx.com:995

# SMTP service, listens on localhost:11025
[xxxx-smtps]
protocol=smtp
accept=localhost:11025
connect=smtp.xxxx.com:25

With 11110 and 11025 the ports in Thunderbird (servers 127.0.0.1) and the redirect ports in Avast!   Never need to go to Avast.ini in 4.6. 

ling2

  • Guest
Re: Secure Mail Server Issues
« Reply #56 on: February 22, 2005, 10:46:01 PM »
Sded, thank you for summing up by using your conditions as an example. You've provided other useful information, too:

Outlook Express doesn't distinguish SSL from TLS in its settings. (You don't have to define the type of the secure connection you use.)
Thunderbird distinguishes SSL from TLS in its settings.
Stunnel distinguishes SSL from TLS in the stunnel.conf file.

As I said in my previous posts, if you use Stunnel, you need to define "protocol" for the TLS connection, but shouldn't for the SSL connection in the stunnel.conf file.

ling2

  • Guest
How to handle the secure connection with a SPAM filter and avast!
« Reply #57 on: February 23, 2005, 05:51:41 AM »
I think that on the update to avast!4.6 we need to revise yildi's FAQ on how to handle the secure connection with a SPAM filtering application and avast!'s email protection. I'll draft the revised FAQ here. This FAQ sure is based on yildi's FAQ. I'll just add some new information to his and reorganize it. Thank you for providing useful information, yildi!

How to handle the SSL or TLS connection with a SPAM filter and avast!
This FAQ will be useful for those who want to use the email client, the SPAM filter, avast!, and Stunnel in this order for the secure connection.

For Windows NT, 2000, XP, and 2003 users

A. Installing and preparing Stunnel
Download OpenSSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html and install it.

Download Stunnel for Windows from http://www.stunnel.org/download/binaries.html. You need to download Stunnel that can work with the version of OpenSSL you've just installed.

Stunnel you've downloaded is not an installer but the Stunnel application itself, and you can place it in any specific folder (e.g. in C:\stunnel).

In the folder where you have copied Stunnel, you will create its configuration file. Launch Notepad and type the following (adapt it if necessary) in the blank document:
Code: [Select]
; have Stunnel work as a client (not as a server)
client=yes

; POP3 service, listens on localhost:11110
[gmail-pop3s]
accept=127.0.0.1:11110
connect=pop.gmail.com:995
; or your secure POP server's name and port

; SMTP service, listens on localhost:11025
[gmail-smtps]
protocol=smtp
accept=localhost:11025
connect=smtp.gmail.com:587
; or your secure SMTP server's name and port

If you use the TLS connection, you need to define the protocol that is used in the connection. If you use the SSL connection, you shouldn't. For example, Gmail uses the SSL connection on the POP server. Therefore you shouldn't add "protocol=pop3" in the configuration file like in the code above. On the other hand, Gmail uses the TLS connection on the SMTP server. Therefore you need to add "protocol=smtp" like in the code above.
Warning to IMAP account holders: Whatever kind of secure IMAP account you have, you don't have to define the protocol. Although you can use the IMAP connection with Stunnel, "imap4" or "imap" as a value of "protocol" isn't defined in Stunnel. I guess it doesn't need to be defined.

Save this file under the name of stunnel.conf in the same folder as you've copied Stunnel in.

Open Command Prompt. (To do that, from the Start menu go to "Run", and type cmd on Windows NT, 2000, XP, and 2003, or command on Windows 9x or Me.) In Command Prompt switch to the folder where Stunnel has been placed. (To do that, type cd c:\stunnel and hit Enter if you've placed Stunnel in C:\stunnel.) In Command Prompt type stunnelfilename.exe -install and hit Enter. ("Stunnelfilename.exe" will be something like stunnel-4.07.exe, which is the file name of Stunnel you have on your hard drive. It depends on the version of Stunnel you've downloaded. 4.07 is the most recent stable version currently.) By doing that, you can launch Stunnel as a Windows service. Hence, Stunnel will start up whenever you start Windows, and you will be able to stop or manage it using the standard Windows console for services.

Now you will observe a new icon (something like a network folder) in the task bar and if you double-click on the icon, you will be able to open the log window (nothing very interesting will be visible for now). If you have made an error in the configuration file, stunnel will refuse to be launched. In this case check the syntax (comparing yours with the code above) and the port numbers of your remote mail servers.

B. Setting the mail client
I will assume that you have two kinds of POP accounts, one normal account (toto@myserver.com) and one secure account (toto2@gmail.com).
I will also assume that your SPAM filter uses the port 120 (like Spamihilator). If not, adapt the following instructions.
Warning to Gmail users: For a Gmail username in the mail client settings, you should set something like toto2@gmail.com, not like "toto2". (It can also work, though.) Although I'll use "toto2" for a Gmail username in the following instructions because I don't want those who use other services to get confused, Gmail Help says "@gmail.com" should be included in a Gmail username.

Configure the normal POP account like this:
  • server: localhost
  • port: 120 (This port number is for Spamihilator. Adapt it for the port listened by your SPAM filter.)
  • username: pop.myserver.com&toto  (This is the format used by Spamihilator. If your SPAM filter expects another scheme, please adapt it.)

Configure the secure POP account like this:
  • server: localhost
  • port: 120 (This port number is for Spamihilator. Adapt it for the port listened by your SPAM filter.)
  • username: localhost&toto2&11110 (This is the format used by Spamihilator. If your SPAM filter expects another scheme, please adapt it. The last element is the port number that will be listened by Stunnel.)

Configure the secure SMTP access like this:
  • server: localhost
  • port: 11025  (the port listened by Stunnel)
  • username: toto2

The setting for the normal SMTP access is... normal.

C. Setting avast!
Please make sure you use avast!4.6 or later. (To do that, right-click on the avast! tray icon, the ball-shaped icon with "a" on it, and select "About avast!..." then you can see what version you use.) If you don't use avast!4.6 or later, you need to update avast! to 4.6 or later. (To update the program, right-click on the avast! tray icon, and go to "Updating" > "Program Update". When the download and install are done, you need to restart your computer.)

Right-click on the avast! tray icon. Select "On-Access Protection Control". Choose "Internet Mail" from "Installed providers", the pane on the left side of the "avast! On-Access Scanner" window. Click on the "Customize" button on the right side of the window. Click on the "Redirect" tab. First uncheck "Ignore local communication" in the tab. Then put in "Redirected ports" both port numbers where Stunnel listens and where your remote non-secure mail server listens.

e.g. Let's assume you have one normal POP account whose POP server listens on the port 110 and whose SMTP server listens on the port 25, and one secure POP account whose POP and SMTP servers and the ports where they listen are defined in the stunnel.conf file. In "Redirected ports" you need to put 110 and 11110 for POP, and 25 and 11025 for SMTP.

These port numbers are where you want avast! to scan emails.

If this configuration doesn't work for you...  I'll write about that later here in this post.

For Windows 95, 98, and Me users

Please refer to this post.
« Last Edit: February 25, 2005, 03:44:17 AM by ling2 »

scaa

  • Guest
Re: Secure Mail Server Issues
« Reply #58 on: February 23, 2005, 02:18:57 PM »
Ling2 has given a very concise and organized way of configuring SSL.
I would like ALWIL to confirm the settings so that these could be done by us.
I am also using gmail but my mails are not been checked by avast 4.6 >:(

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Secure Mail Server Issues
« Reply #59 on: February 23, 2005, 04:43:21 PM »
scaa
Unless you use Outlook (not OE), avast doesn't support SSL.
You therefore have to use Stunnel.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet