Date: Fri, 17 Nov 2000 21:50:30 +0800 From: "Lim Hui Min" <huimin.lim@i-dns.net> To: "Angelo a.k.a shagy" <shagy@rocketmail.com>, <freebsd-security@FreeBSD.ORG> Subject: Re: stunnel, outlook express and qpopper Message-ID: <000701c051dc$c59dec10$6600a8c0@huiminvaio> References: <20001110134230.29329.qmail@web2904.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
make sure your Common Name, when you create your cert, is EXACTLY the same as the server name that you are popping from in outlook express. HM ----- Original Message ----- From: "Angelo a.k.a shagy" <shagy@rocketmail.com> To: <freebsd-security@FreeBSD.ORG> Sent: Friday, November 10, 2000 9:42 PM Subject: Re: stunnel, outlook express and qpopper > > On Fri, Nov 10, 2000 at 12:55:26AM -0800, Angelo > > a.k.a shagy wrote: > > > Greetings i'm trying to wrap pop3 with stunnell > > (ssl) > > > I'm using FreeBSD 3.4 > > > stunnel 3.4a (from the ports) > > > qpopper 3.1 > > > > > > I start qpopper with the following options > > > "qpopper 192.168.5.1:110 -S" > > > > > > Then stunnel starts up like so > > > "stunnel -d pop3s -r 192.168.5.1:pop3" > > > > > > When trying to access mail through outlook express > > I > > > get the following message. > > > "The server you are connected to is using a > > security > > > certificate that does not match its internet > > address. > > > Do you want to continue using this server?" > > > > > > I've read that IE and Netscape have a hard coded > > list > > > of Certificate Authorities. And you can get this > > > message if you haven't had your server certificate > > > signed by a CA such as verisign. Is this an > > absolute > > > truth *or* is there a way around this? Or am I > > just > > > way off?! > > > > > > Any help would be appreciated > > > > A self-signed certificate worked fine for me back > > when I used to run a > > similar setup (UW-IMAP and POP3, stunnel, and MS > > OE). How did you make > > your cert? > > -- > > > Hi, here is how I created the certificate.... > > First I generated the unencrypted server key > "openssl genrsa -out server.key 1024" > > Then I created a server certificate request with the > unencrypted key > "openssl req -new -days 365 -key server.key -out > newreq.pem" > > Created my own Certificate Authority and self-signed. > (I used CA.pl to do this) > "perl CA.pl -newca" #made a certificate authority > "perl CA.pl -sign" #self-signed the request > #(I got a file named "newcert.pem" > as a result) > > Then I generated a dh file for stunnel > "openssl gendh -out dh 1024" > > Put it all together like so > "cat server.key newcert.pem dh > stunnel.pem" > > I also removed non operational text from > stunnel.pem.....the end result was > simmilar to this. > > ---BEGIN RSA PRIVATE KEY--- > [encoded key] > ---END RSA PRIVATE KEY--- > [empty line here] > ---BEGIN CERTIFICATE--- > [encoded certificate] > ---END CERTIFICATE--- > [empty line here] > ---BEGIN DH PARAMETERS--- > [encoded key] > ---END DH PARAMETERS--- > > > Everything seems to be working fine except for message > that > I get from outlook. > > Thanks, > Ang > > > > > __________________________________________________ > Do You Yahoo!? > Thousands of Stores. Millions of Products. All in one Place. > http://shopping.yahoo.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000701c051dc$c59dec10$6600a8c0>