0000886: POP3-SSL not WORK

(0001267)
peter-endian (administrator)
2008-06-03 10:21

please read http://kb.endian.com/entry/25/ [^]

(0003306)
aender (reporter)
2009-11-17 09:26

The KB entry is only a solution for clients that are every time at green.

But if i have a notebook which is at green for working in the office and sometimes on the road or at home this solution is a no go. Why? Because every time the user is outside the office he has to change the settings at the mail client and change it back if he is back to the office.

So please make it possible to select POP3 and POP3 over SSL Ports (110, 995) for filtering in the gui.

Or can you post a workaround where we can change a config file for this?

(0003309)
peter-endian (administrator)
2009-11-17 16:10

ssl for the communication from client to transparent proxy is not implemented in p3scan, so that's simply not possible right now.

same problem however on using transparent smtp proxy with a configured smtp server which requires authentication

(0003310)
aender (reporter)
2009-11-17 16:16

OK.

Found a way to disable POP3 SSL (Port 995) in POP3 Proxy

Edit file /etc/firewall/proxies/p3scan.conf.tmpl.org and remark or delete the line with the rule for redirecting pop3s to p3scan.

So it should be possible to implement this in the gui to enable or disable port 995 or 110 at the pop3 proxy settings.

(0003311)
peter-endian (administrator)
2009-11-17 17:12
edited on: 2009-11-17 17:13

well, ok. disabling is possible.
pop3s is then however not passing at all through the pop proxy.

i mean, it goes directly then, without being proxied

(0003312)
aender (reporter)
2009-11-17 17:20

thats ok. so it would be a nice feature to select which ports/protocols would be filtered by the proxy.

however. "real" pop3s filtering is not possible in a correct way. in my opinion all manufactor who are telling that they can filter ssl traffic would do something like a man-in-the-middle-attack.

(0003502)
jasonwalls (reporter)
2009-12-02 13:28

+1

I'd also like the option to disable the proxy for SSL traffic only.

(0003819)
boccardi (reporter)
2010-02-19 09:04

Buongiorno, sarebbe possibile aggiungere il check da spuntare nella pagina del proxy POP3 per disabilitare la redirezione della porta 995 (pop3s) ?

Io utilizzo il pacchetto Stunnel per fare da proxy SMTPS IMAPS e POP3S e lo uso anche per collegarmi al nostro Endian dalla nostra Intranet.

Ecco un esempio della mia configurazione:

; Configurazione STUNNEL per Posta Certificata
;
; Esempio di configurazione IMAPS
;
; [imaps]
; accept = 10.11.39.11:6101
; delay = yes
; connect = mail.domain.com:993
;
; Protocol version (all, SSLv2, SSLv3, TLSv1)
;
;
; Global options

setuid = stunnel
setgid = stunnel
debug = 7
output = /var/log/stunnel.log
pid = /var/run/stunnel/stunnel.pid

; Server INFOCAMERE

[imaps]
client = yes
accept = 993
delay = yes
connect = mbox.cert.legalmail.it:993

[smtps]
client = yes
accept = 465
delay = yes
connect = sendm.cert.legalmail.it:465

[pop3s]
client = yes
accept = 995
delay = yes
connect = mbox.cert.legalmail.it:995

; Server EFW MASTER

[efw1]
client = yes
accept = 6112
delay = yes
connect = 10.11.39.254:10443

(0008385)
luca-endian (developer)
2013-02-22 13:27

yes the check has been added, it will be included in the next version.

(0008386)
luca-endian (developer)
2013-02-22 13:30

this is not actually a bug but how p3scan works, check the online documentation.

Issue History
Date Modified	Username	Field	Change
2008-05-29 12:04	andreseko	New Issue
2008-06-03 10:21	peter-endian	Status	new => closed
2008-06-03 10:21	peter-endian	Note Added: 0001267
2008-06-03 10:21	peter-endian	Resolution	open => no change required
2009-11-17 09:26	aender	Note Added: 0003306
2009-11-17 09:26	aender	Status	closed => feedback
2009-11-17 09:26	aender	Resolution	no change required => reopened
2009-11-17 16:10	peter-endian	Note Added: 0003309
2009-11-17 16:16	aender	Note Added: 0003310
2009-11-17 17:12	peter-endian	Note Added: 0003311
2009-11-17 17:13	peter-endian	Note Edited: 0003311
2009-11-17 17:20	aender	Note Added: 0003312
2009-12-02 13:28	jasonwalls	Note Added: 0003502
2010-02-19 09:04	boccardi	Note Added: 0003819
2010-03-24 10:47	ra-endian	Severity	block => minor
2010-09-23 15:52	peter-endian	Status	feedback => confirmed
2010-09-23 15:52	peter-endian	Target Version	=> future
2013-02-22 13:27	luca-endian	Note Added: 0008385
2013-02-22 13:30	luca-endian	Note Added: 0008386
2013-02-22 13:30	luca-endian	Status	confirmed => closed
2013-02-22 13:30	luca-endian	Assigned To	=> luca-endian
2013-02-22 13:30	luca-endian	Resolution	reopened => fixed

Notes
(0001267) peter-endian (administrator) 2008-06-03 10:21	please read http://kb.endian.com/entry/25/ [^]

(0003306) aender (reporter) 2009-11-17 09:26	The KB entry is only a solution for clients that are every time at green. But if i have a notebook which is at green for working in the office and sometimes on the road or at home this solution is a no go. Why? Because every time the user is outside the office he has to change the settings at the mail client and change it back if he is back to the office. So please make it possible to select POP3 and POP3 over SSL Ports (110, 995) for filtering in the gui. Or can you post a workaround where we can change a config file for this?

(0003309) peter-endian (administrator) 2009-11-17 16:10	ssl for the communication from client to transparent proxy is not implemented in p3scan, so that's simply not possible right now. same problem however on using transparent smtp proxy with a configured smtp server which requires authentication

(0003310) aender (reporter) 2009-11-17 16:16	OK. Found a way to disable POP3 SSL (Port 995) in POP3 Proxy Edit file /etc/firewall/proxies/p3scan.conf.tmpl.org and remark or delete the line with the rule for redirecting pop3s to p3scan. So it should be possible to implement this in the gui to enable or disable port 995 or 110 at the pop3 proxy settings.

(0003311) peter-endian (administrator) 2009-11-17 17:12 edited on: 2009-11-17 17:13	well, ok. disabling is possible. pop3s is then however not passing at all through the pop proxy. i mean, it goes directly then, without being proxied

(0003312) aender (reporter) 2009-11-17 17:20	thats ok. so it would be a nice feature to select which ports/protocols would be filtered by the proxy. however. "real" pop3s filtering is not possible in a correct way. in my opinion all manufactor who are telling that they can filter ssl traffic would do something like a man-in-the-middle-attack.

(0003502) jasonwalls (reporter) 2009-12-02 13:28	+1 I'd also like the option to disable the proxy for SSL traffic only.

(0003819) boccardi (reporter) 2010-02-19 09:04	Buongiorno, sarebbe possibile aggiungere il check da spuntare nella pagina del proxy POP3 per disabilitare la redirezione della porta 995 (pop3s) ? Io utilizzo il pacchetto Stunnel per fare da proxy SMTPS IMAPS e POP3S e lo uso anche per collegarmi al nostro Endian dalla nostra Intranet. Ecco un esempio della mia configurazione: ; Configurazione STUNNEL per Posta Certificata ; ; Esempio di configurazione IMAPS ; ; [imaps] ; accept = 10.11.39.11:6101 ; delay = yes ; connect = mail.domain.com:993 ; ; Protocol version (all, SSLv2, SSLv3, TLSv1) ; ; ; Global options setuid = stunnel setgid = stunnel debug = 7 output = /var/log/stunnel.log pid = /var/run/stunnel/stunnel.pid ; Server INFOCAMERE [imaps] client = yes accept = 993 delay = yes connect = mbox.cert.legalmail.it:993 [smtps] client = yes accept = 465 delay = yes connect = sendm.cert.legalmail.it:465 [pop3s] client = yes accept = 995 delay = yes connect = mbox.cert.legalmail.it:995 ; Server EFW MASTER [efw1] client = yes accept = 6112 delay = yes connect = 10.11.39.254:10443

(0008385) luca-endian (developer) 2013-02-22 13:27	yes the check has been added, it will be included in the next version.

(0008386) luca-endian (developer) 2013-02-22 13:30	this is not actually a bug but how p3scan works, check the online documentation.

Relationships

Please see now our new Bugtracker system: JIRA