d_l
Barsoom
Premium,MVM
join:2002-12-08
Reno, NV
| reply to jonrkc
Re: Mail Changes Coming!
If you understand Linux (I don't), then you might give Stunnel a look see. It acts as a universal SSL wrapper that "can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code".
I've use the Windows Stunnel binaries for years to provide SSL encryption and they have been flawless and transparent. |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| Thanks, d_l, I'll give stunnel a look.
Meanwhile I posted a plea for help in linuxquestions.org's security forum. I'll probably get some answers, if not a solution.
I found out that the Guarddog people consider SMTP over SSL deprecated. They think SMTP using TSL and port 25 should be used.
Great. I'll have them tell SBCGlobal/ATT/Yahoo that!  |
|
jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
 ·AT&T Southwest
| Try the TLS setting but change the port from 25, before going the stunnel route. I did a bit of research to find out that TLS is actually SSL with a new name. It has some slight extensions over the original SSL, but I'm connecting just fine with TLS on port 465 selected in my mail client!
The TLS over port 25 is more often called STARTTLS... |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| I tried the port 465 thing with TLS last night and it didn't work, but I'll give it a go again. Maybe I had something set up wrong.
I've been using smtpauth out of port 587 for about two or three years now; however I did get SBCGlobal to unblock my port 25 (big to-do over that issue a couple of years ago, which is when I changed to smtpauth).
If you think of other suggestions, keep them coming! I appreciate your help. |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| reply to jimkyle
"The TLS over port 25 is more often called STARTTLS..."
Hmm! I tried this over port 465 and could not connect, got error message that SBC does not offer STARTTLS in its EHLO response.
Then I tried the option of over "TLS if available," and was able to connect via port 465.
Do you think this will continue to work? I assume what I sent was unencrypted, if TLS actually isn't available, as the error message leads me to believe. |
|
jimkyle
Btrieve Guy
Premium
join:2002-10-20
Oklahoma City, OK
·AT&T Southwest
| Apparently STARTTLS is different from TLS or SSL, but I didn't pay much attention to the specific differences. I think the only way to tell if the "TLS if available" setting will continue to work will be to wait and see. However it's my understanding (which may be quite wrong) that port 465 accepts ONLY the TLS protocol, so I'd expect it to keep working... |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
1 edit | "...wait and see. However it's my understanding (which may be quite wrong) that port 465 accepts ONLY the TLS protocol, so I'd expect it to keep working..."
That's what I thought at first, too, but then it dawned on me that "TLS if available" working and "TLS" not working probably means that TLS is not available.
Even so, I got connected. But I'll bet there's no encryption involved. |
|
GB34
join:2004-12-08
Adrian, MO
| reply to manfmmd
TB Incoming Settings | 
TB Outgoing Settings |
Hope these help. I x'ed out the username portion for obvious reasons. Of course you would need to add your own username in place of the x's
GB34 |
|
sblake
join:2001-03-15
Oklahoma City, OK | Do these instructions apply to those who are still using the swbell.net domain name? I haven't received anything about this |
|
KC_User
@sbcglobal.net
| reply to jonrkc
"Even so, I got connected. But I'll bet there's no encryption involved."
I'd like to take that bet. I set up stunnel and dumped the IE certificate store to a file for stunnel, and made a test to the pop port at 995 and the smtp port at 465. Stunnel log shows nice AES encryption at 256 bits. (IP address obfuscated.)
: attsmtp accepted connection from 127.0.0.102:2080
: attsmtp connected remote server from 76.aaa.bb.ccc:2081
: VERIFY OK: depth=1, /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
2007.02.09 18:43:55 LOG5[2152:1672]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=smtp.att.yahoo.com
: SSL connected: new session negotiated
: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
: SSL socket closed on SSL_shutdown
: Connection closed: 1316 bytes sent to SSL, 297 bytes sent to socket
: attpop accepted connection from 127.0.0.101:2082
: attpop connected remote server from 76.aaa.bb.ccc:2083
: VERIFY OK: depth=1, /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
2007.02.09 18:44:16 LOG5[2152:1836]: VERIFY OK: depth=0, /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo/CN=pop.att.yahoo.com
: SSL connected: new session negotiated
: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
: SSL_shutdown successfully sent close_notify
: Connection closed: 82 bytes sent to SSL, 3425 bytes sent to socket |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| "I'd like to take that bet. I set up stunnel and dumped the IE certificate store to a file for stunnel, and made a test to the pop port at 995 and the smtp port at 465. Stunnel log shows nice AES encryption at 256 bits. (IP address obfuscated.)"
I wish I could do that. The only utility for Linux that I found, that carries out a function like stunnel, is so complicated to set up that it would take me hours and hours and I still would probably fail.
Too bad ATT/Yahoo are not using TSL. I'll either live without encryption or wait for some miracle to come along, I guess. I seldom send anything earth-shakingly secret in my email anyway. Now I'll have all the more reason not to.
Of course I could make agreements with all my correspondents to use GPG (open-source equivalent of Pretty Good Privacy) to encrypt and decrypt our emails. Not very practical! |
|
kc_user
@sbcglobal.net
| I thought stunnel ran on linux. From what I gathered, linux was the primary system, and a port was made to windows as an afterthought. Don't mistake me as an expert on SSL, but when doing a dump using openssl, I saw some mention of TLS1
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Anyhow, I'll attach the certificates. One shouldn't accept certificates without verification, but here, there is peer review. The ATTpop and ATTsmtp certificates were made as follows. First, the Equifax root certificate was exported in IE by going to tools >internet options > content > certificates > root and selecting the Equifax Secure Certificate Authority. I then exported the certificate in Base64 format. Then, I used the openssl "s_client -connect pop.att.yahoo.com:995" command to retrieve the certificate for the server. Same approach for the smtp server. Then the root certificate and the server certificate were concatenated in the certificate files that are zipped up. I also include a stunnel sample configuration file. I tried stunnel with just the server certificate without the root, no luck. Then I tried the root, and no server certificate, no luck. Needs both.
IP addresses/ports for the accept option were configured to comply with some firewall rules I have. Those could be set to anything you like. |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| (Sorry about saying TSL earlier instead of TLS. There's enough confusion here already!) 
That's interesting that TLS was used in your experiment. It won't work with my setup, at least now it won't.
I didn't find stunnel for Linux yesterday searching, but I may have overlooked it. If its setup is anything like the other utility I found (sorry I can't remember its name), it would be beyond my capability anyway.
I'll keep searching, and if I find anything a non-expert user can install, I'll post about it.
Thanks for all your time and attempts to help me! |
|
David
No,there is another.
Premium,VIP
join:2002-05-30
Granite City, IL
clubs:
 ·DIRECTV
 ·magicjack.com
·AT&T Midwest
| Sorry for the long reply, I was asked to come over here and get some questions answered...
"So what's up and who's first?" *
*Note: I used to say this when I walked into a pool hall one night with a beer in one hand and a stick in the other!
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!
|
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
1 edit | I don't think I'm first, but I'll jump the line.
I got SMTP encrypted y'day using stunnel and NO authentication preference in Thunderbird (no TSL, no SSL). Today I get POP3 encrypted--but not SMTP, no matter what I've tried. I don't see anything changed, though I've changed a lot during more than two hours of experiments today.
If I knew how to wrangle IPTables I could probably force encrypted SSL, but they are beyond me; I use Guarddog interface for managing the firewall. And it will not allow SMTP over SSL, considering it a deprecated mode. It will allow over TLS, but AT&T presumably doesn't (I get message that it doesn't connect via TLS).
So. I didn't intend to turn this into a one-issue (Linux) thread. I know others are having problems even though using Windows, and some have solved all their problems, and some haven't... |
|
David
No,there is another.
Premium,VIP
join:2002-05-30
Granite City, IL
clubs:
·DIRECTV
·magicjack.com
·AT&T Midwest
1 edit | So if I read this correct you are having a problem with the encryption? or no? I admit I am no e-mail guru (have a hard enough time checking mine sometimes!)
I can get some questions answered if that makes sense or as least point in the right direction.. |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| Yes, I had encryption using the stunnel utility recommended above in the thread, yesterday, on SMTP. I don't think I had it on POP3. Anyway, today I have it on POP3 but not on SMTP, and I've tried virtually every combination of port numbers and of SSL, TLS, TLS if available, and "None" for authentication. Yesterday encryption via stunnel worked with "TLS if available," which is the same as "None" in this case since AT&T doesn't offer TLS.
Frankly so tired of thinking about it right now I need to do something else--esp. since I'm trying to fix major computer problems unrelated to that, such as computer not booting because of apparently corrupted kernel. Finally went back to a prior version and it worked fine. How that happened, I don't know....
All day wasted on these things. Thanks for your willingness to help; I'll try to provide more useful information tomorrow or whenever I possibly can. I've also had some private message help from a forum member. Since my problem is very specific it probably really doesn't belong in this thread and private messages are more appropriate--unless I started my own thread... Oh, well. Thanks. |
|
dleehend
Howdy
Premium
join:2002-03-11
Jasper, TX
·AT&T DSL Service
| reply to David
beach boy,
Is everyone going to have to change mail servers?
I am still on the sbcglobal.net servers and have not received any message about the need for changes.
Actually, I never even "officially" did the change to sbc/yahoo.
--
Live carefully today! Tonight you may answer for your actions. |
|
jonrkc
Premium
join:2003-05-19
Kansas City, MO
| All right, I hope this will be my last post in this thread as I feel I've overused it, and I'm sorry if I have.
Today I finally just disabled Guarddog (iptables graphic interface for management) and reinstalled iptables, but then all my ports were still stealthed. So as a last resort I uninstalled iptables, too, rebooted, and now I can communicate with SMTP using port 465 and SSL. And I was already able to use port 995 for POP3.
I have no sure way to tell if messages are being encrypted, but I guess they are, otherwise those changes mandated by AT&T (which I haven't received in email yet, either!) would not have been spelled out.
One thing that puzzles me is that all my ports are still shown as closed--three of them stealthed apparently by AT&T--but now I have no iptables, and hence no firewall.
Ubuntu Linux is shipped with all ports closed by default for safety, but I figured getting rid of iptables, the firewall mechanism for Ubuntu, would change that. I'm glad it didn't, but puzzled.
Finally, can somebody suggest a surefire way to tell if communications are encrypted, and encrypted in both directions? That would be useful to Windows, Mac, Linux, and all other OS users in this situation. |
|
manfmmd
Premium
join:2003-01-14
Earth
clubs:
1 edit | Since we are in essence demanding an SSL connection via the EMail application, I don't believe that it can communicate unencrypted since there are no fallback settings.
--
huh? | AIM | Speaker Pelosi?!?...OH THE HUMANITY! |
|
