IMAP/SSL with gnus

IMAP/SSL with gnus

[Alexander Kotelnikov]

Hello.

How do I force gnus to ask me, if I accept SSL sertificate from imap
server?

PS Please, Cc: me, I am not subscribed th the list.
-- 
Alexander Kotelnikov
Saint-Petersburg, Russia

Re: IMAP/SSL with gnus

[Simon Josefsson]

Alexander Kotelnikov <sacha@giotto.sj.ru> writes:

> How do I force gnus to ask me, if I accept SSL sertificate from imap
> server?

Look into ssl.el, in particular `ssl-certificate-verification-policy'.
Interactivity and prompting is poor.  The builtin TLS support would
have help.

Re: IMAP/SSL with gnus

[Alexander Kotelnikov]

>>>>> On Wed, 07 Aug 2002 18:34:50 +0200
>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
SJ> 
SJ> Alexander Kotelnikov <sacha@giotto.sj.ru> writes:
>> How do I force gnus to ask me, if I accept SSL sertificate from imap
>> server?
SJ> 
SJ> Look into ssl.el, in particular `ssl-certificate-verification-policy'.
SJ> Interactivity and prompting is poor.  The builtin TLS support would
SJ> have help.

I have
(imap-ssl-program (quote ("openssl s_client -ssl3 -connect %s:%p")))
(ssl-certificate-verification-policy 3) ; reject on fail
(ssl-program-arguments (quote ("s_client" "-host" host "-port" service "-verify" (int-to-string ssl-certificate-verification-policy) "-CApath" ssl-certificate-directory)))
And gnus do not ask my, if I would like to accept a certificate.
How would TLS help?

-- 
Alexander Kotelnikov
Saint-Petersburg, Russia

Re: IMAP/SSL with gnus

[Simon Josefsson]

Alexander Kotelnikov <sacha@giotto.sj.ru> writes:

>>>>>> On Wed, 07 Aug 2002 18:34:50 +0200
>>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
> SJ> 
> SJ> Alexander Kotelnikov <sacha@giotto.sj.ru> writes:
>>> How do I force gnus to ask me, if I accept SSL sertificate from imap
>>> server?
> SJ> 
> SJ> Look into ssl.el, in particular `ssl-certificate-verification-policy'.
> SJ> Interactivity and prompting is poor.  The builtin TLS support would
> SJ> have help.
>
> I have
> (imap-ssl-program (quote ("openssl s_client -ssl3 -connect %s:%p")))
> (ssl-certificate-verification-policy 3) ; reject on fail
> (ssl-program-arguments (quote ("s_client" "-host" host "-port" service "-verify" (int-to-string ssl-certificate-verification-policy) "-CApath" ssl-certificate-directory)))
> And gnus do not ask my, if I would like to accept a certificate.

Hm, it seems to be unimplemented.  ssl-accept-ca-certificate prompts
the user, but it isn't called from anywhere.

Do you need to be prompted?  Simply installing your CA so that OpenSSL
finds it should be enough, I think.  With "reject on fail", you can't
login unless the server certificate verifies correctly, so it is
almost like a prompt. :-)

Re: IMAP/SSL with gnus

[Alexander Kotelnikov]

>>>>> On Thu, 08 Aug 2002 01:00:07 +0200
>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
SJ> 
SJ> Alexander Kotelnikov <sacha@giotto.sj.ru> writes:
>>>>>>> On Wed, 07 Aug 2002 18:34:50 +0200
>>>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
SJ> 
SJ> Alexander Kotelnikov <sacha@giotto.sj.ru> writes:
>>>> How do I force gnus to ask me, if I accept SSL sertificate from imap
>>>> server?
SJ> 
SJ> Look into ssl.el, in particular `ssl-certificate-verification-policy'.
SJ> Interactivity and prompting is poor.  The builtin TLS support would
SJ> have help.
>> 
>> I have
>> (imap-ssl-program (quote ("openssl s_client -ssl3 -connect %s:%p")))
>> (ssl-certificate-verification-policy 3) ; reject on fail
>> (ssl-program-arguments (quote ("s_client" "-host" host "-port" service "-verify" (int-to-string ssl-certificate-verification-policy) "-CApath" ssl-certificate-directory)))
>> And gnus do not ask my, if I would like to accept a certificate.
SJ> 
SJ> Hm, it seems to be unimplemented.  ssl-accept-ca-certificate prompts
SJ> the user, but it isn't called from anywhere.
SJ> 
SJ> Do you need to be prompted?  Simply installing your CA so that OpenSSL
SJ> finds it should be enough, I think.  With "reject on fail", you can't
SJ> login unless the server certificate verifies correctly, so it is
SJ> almost like a prompt. :-)

I do not see any other way to avoid IP spoofing with successive
password grabbing.

May be to switch to (nnimap-stream shell) with ssh, but it do not work
for me, may be some tweaking is needed.

-- 
Alexander Kotelnikov
Saint-Petersburg, Russia

Re: IMAP/SSL with gnus

[Simon Josefsson]

Alexander Kotelnikov <sacha@giotto.sj.ru> writes:

> SJ> Do you need to be prompted?  Simply installing your CA so that OpenSSL
> SJ> finds it should be enough, I think.  With "reject on fail", you can't
> SJ> login unless the server certificate verifies correctly, so it is
> SJ> almost like a prompt. :-)
>
> I do not see any other way to avoid IP spoofing with successive
> password grabbing.

If the remote cert doesn't validate, you won't send your password.  If
it validates, doesn't this mean you trust the other end, and trust
them to handle your password properly?  I don't see how IP spoofing
can modify this.

> May be to switch to (nnimap-stream shell) with ssh, but it do not work
> for me, may be some tweaking is needed.

SSH port forwarding can be recommended.

Re: IMAP/SSL with gnus

[Alexander Kotelnikov]

>>>>> On Thu, 08 Aug 2002 19:53:00 +0200
>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
SJ> 
SJ> Alexander Kotelnikov <sacha@giotto.sj.ru> writes:
SJ> Do you need to be prompted?  Simply installing your CA so that OpenSSL
SJ> finds it should be enough, I think.  With "reject on fail", you can't
SJ> login unless the server certificate verifies correctly, so it is
SJ> almost like a prompt. :-)
>> 
>> I do not see any other way to avoid IP spoofing with successive
>> password grabbing.
SJ> 
SJ> If the remote cert doesn't validate, you won't send your password.  If
SJ> it validates, doesn't this mean you trust the other end, and trust
SJ> them to handle your password properly?  I don't see how IP spoofing
SJ> can modify this.

Look. Now I do not have any cert on client side and password is sent
and I am authorised :(

SJ> 
>> May be to switch to (nnimap-stream shell) with ssh, but it do not work
>> for me, may be some tweaking is needed.
SJ> 
SJ> SSH port forwarding can be recommended.

Is there any working example of configuration?

-- 
Alexander Kotelnikov
Saint-Petersburg, Russia

Re: IMAP/SSL with gnus

[Simon Josefsson]

Alexander Kotelnikov <sacha@giotto.sj.ru> writes:

> SJ> If the remote cert doesn't validate, you won't send your password.  If
> SJ> it validates, doesn't this mean you trust the other end, and trust
> SJ> them to handle your password properly?  I don't see how IP spoofing
> SJ> can modify this.
>
> Look. Now I do not have any cert on client side and password is sent
> and I am authorised :(

Ah, but you could install the CA/server cert on the client side.  This
is safer than viewing the certificate each time, as you would need to
remember the public key to really gain any security.

>>> May be to switch to (nnimap-stream shell) with ssh, but it do not work
>>> for me, may be some tweaking is needed.
> SJ> 
> SJ> SSH port forwarding can be recommended.
>
> Is there any working example of configuration?

Run this on your client

ssh -L 1430:yourmailserver:143 yxa.extundo.com

and then connect to port 1430 on localhost with Gnus.

Re: IMAP/SSL with gnus

[Alexander Kotelnikov]

>>>>> On Thu, 08 Aug 2002 21:14:32 +0200
>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
SJ> 
>>>> May be to switch to (nnimap-stream shell) with ssh, but it do not work
>>>> for me, may be some tweaking is needed.
SJ> 
SJ> SSH port forwarding can be recommended.
>> 
>> Is there any working example of configuration?
SJ> 
SJ> Run this on your client
SJ> 
SJ> ssh -L 1430:yourmailserver:143 yxa.extundo.com
SJ> 
SJ> and then connect to port 1430 on localhost with Gnus.

Ah... this approach has some disadvantages:
1. One have to establish ssh connection before starting gnus
2. gnus is too smart and think it is plugged even if you put it into
unplugged, when you conncet to localhost

So the thing that I really would like to work is (nnimap-stream shell)
with ssh. Is it possible?

-- 
Alexander Kotelnikov
Saint-Petersburg, Russia

Re: IMAP/SSL with gnus

[Andi Hechtbauer]

>>>>> Alexander Kotelnikov writes:
>>>>> On Thu, 08 Aug 2002 21:14:32 +0200
>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
    SJ>
    >>>>> May be to switch to (nnimap-stream shell) with ssh, but it
    >>>>> do not work for me, may be some tweaking is needed.
    SJ>  SSH port forwarding can be recommended.
    >>>  Is there any working example of configuration?

    SJ>  Run this on your client
    SJ> ssh -L 1430:yourmailserver:143 yxa.extundo.com
    SJ> and then connect to port 1430 on localhost with Gnus.

    AK> Ah... this approach has some disadvantages: 1. One have to
    AK> establish ssh connection before starting gnus 2. gnus is too
    AK> smart and think it is plugged even if you put it into
    AK> unplugged, when you conncet to localhost

    AK> So the thing that I really would like to work is
    AK> (nnimap-stream shell) with ssh. Is it possible?

I think it depends on your imapd on the remote end.  It has to be run
"preauthenticated.  I used to use uw imapd, which has this ability,
but wouldn't know how to do it with cyrus, e.g. - but fortunately
cyrus knows imaps.


(setq imap-shell-program 
 '( "ssh -x -C imap.server.xy /usr/sbin/imapd" ))

and

(setq gnus-secondary-select-methods
      '(
 	(nnimap "imap1"
 		(nnimap-address "imap.server.xy")
 		(nnimap-stream shell)
 		(nnimap-list-pattern ("INBOX" "mail/*"))
 		)))

was all I had to do to make it work with uw imapd.

HTH,
Andi

Re: IMAP/SSL with gnus

[Simon Josefsson]

Alexander Kotelnikov <sacha@giotto.sj.ru> writes:

> SJ> Run this on your client
> SJ> 
> SJ> ssh -L 1430:yourmailserver:143 yxa.extundo.com
> SJ> 
> SJ> and then connect to port 1430 on localhost with Gnus.
>
> Ah... this approach has some disadvantages:
> 1. One have to establish ssh connection before starting gnus

You could invoke the command via a hook.

> 2. gnus is too smart and think it is plugged even if you put it into
> unplugged, when you conncet to localhost

This seems strange, why does it do this?  Did you agentize the server
in question?

> So the thing that I really would like to work is (nnimap-stream shell)
> with ssh. Is it possible?

Yes.  Err, what problems did you have?  I tried to add the following
server in the server buffer now and it worked fine (I use non-password
ssh logins):

(nnimap "foo"
	(nnimap-stream shell)
	(imap-shell-program ("ssh MYMAILSERVER telnet localhost 143"))
	(imap-server-eol "\n"))

I committed two minor bug fixes that makes it possible to specify a
non-list `imap-shell-program' (undocumented, but nice) and made Gnus
discard initial junk in the network stream (like the telnet greeting),
but it should have worked before too.

Re: IMAP/SSL with gnus

[Simon Josefsson]

Andi Hechtbauer <anti@spin.de> writes:

> I think it depends on your imapd on the remote end.  It has to be run
> "preauthenticated.  I used to use uw imapd, which has this ability,
> but wouldn't know how to do it with cyrus, e.g. - but fortunately
> cyrus knows imaps.

I use Cyrus and the shell stream worked, Gnus prompted me for a
username/password.

Re: IMAP/SSL with gnus

[Alexander Kotelnikov]

>>>>> On Mon, 12 Aug 2002 23:13:05 +0200
>>>>> "SJ" == Simon Josefsson <jas@extundo.com> wrote:
SJ> 
SJ> Yes.  Err, what problems did you have?  I tried to add the following
SJ> server in the server buffer now and it worked fine (I use non-password
SJ> ssh logins):
SJ> 
SJ> (nnimap "foo"
SJ> 	(nnimap-stream shell)
SJ> 	(imap-shell-program ("ssh MYMAILSERVER telnet localhost 143"))
SJ> 	(imap-server-eol "\n"))
SJ> 
SJ> I committed two minor bug fixes that makes it possible to specify a
SJ> non-list `imap-shell-program' (undocumented, but nice) and made Gnus
SJ> discard initial junk in the network stream (like the telnet greeting),
SJ> but it should have worked before too.

The problem I had was that gnus freezes infinitely on calling ssh.
This was because I have ssh debug prints always enabled, and they
confuses nnimap. Setting imap-shell-command to "ssh -q ..." helps.
-- 
Alexander Kotelnikov
Saint-Petersburg, Russia

Re: IMAP/SSL with gnus

[Simon Josefsson]

> The problem I had was that gnus freezes infinitely on calling ssh. This
> was because I have ssh debug prints always enabled, and they
> confuses nnimap. Setting imap-shell-command to "ssh -q ..." helps.

The fix I added should make it work even without -q now, I think.