Building UW-IMAP...

Printable View

10-28-2008, 01:30 AM
Application Development

Building UW-IMAP...

Just some logic checks, I've read the documentation, and have managed to
become completely confused about SSL and authentication.

To build UW-IMAP (for UNIX) so it runs the "old" pre-SSL way, circa
2003, I use "SSLTYPE=none", yes?

If I use "SSLTYPE=unix", what *else* am I going to have to configure?
Or add?

And I assume that "SSLTYPE=nopwd" means that everything is done via
certificate?

I have OpenSSL installed, I'm just trying to work out what to build.

Oh, and I am thinking in terms of accessing the server over the wire, I
understand about setting up /etc/services and inetd.conf files, I'm just
having trouble picking just which variant(s) I should build.

Cheers,
Gary B-)
10-28-2008, 01:51 AM
Application Development

Re: Building UW-IMAP...

"Gary R. Schmidt" <grschmidt@acm.org> writes:

> Just some logic checks, I've read the documentation, and have managed to
> become completely confused about SSL and authentication.

SSL has nothing to do with authentication (in general). :)

> To build UW-IMAP (for UNIX) so it runs the "old" pre-SSL way, circa
> 2003, I use "SSLTYPE=none", yes?

This will build without any SSL capability at all.

> If I use "SSLTYPE=unix", what *else* am I going to have to configure?
> Or add?

SSLTYPE=unix is the same as the normal SSL build (nopwd) except it
allows plaintext authentication over non-SSL sessions.

> And I assume that "SSLTYPE=nopwd" means that everything is done via
> certificate?

No; SSLTYPE=nopwd is both SSL and non-SSL, same as "=unix", but it
does not allow plaintext authentication over non-SSL connections.

Your issue is probably about deciding what kinds of authentication you
want available, rather than anything to do with SSL.

Cheers,

- Joel
10-28-2008, 02:04 AM
Application Development

Re: Building UW-IMAP...

On Tue, 28 Oct 2008, Gary R. Schmidt posted:
> Just some logic checks, I've read the documentation, and have managed to
> become completely confused about SSL and authentication.

Understood. It can be bewildering, and it is made all the more complex by
the differences in individual UNIX variants that change the rules in
subtle ways.

Most of what you need to know that is specific to IMAP is in the BUILD and
SSLBUILD files. The problem is that you also need to know some stuff
about OpenSSL that is not specific to IMAP... :-(

> To build UW-IMAP (for UNIX) so it runs the "old" pre-SSL way, circa
> 2003, I use "SSLTYPE=none", yes?

More like circa 1998, but yes.

> If I use "SSLTYPE=unix", what *else* am I going to have to configure?
> Or add?
> And I assume that "SSLTYPE=nopwd" means that everything is done via
> certificate?

SSLTYPE=unix is not recommended. This was an interim setting for the
transition to secure sessions a decade ago. It is highly unsafe to allow
unencrypted sessions in today's Internet.

SSLTYPE=nopwd is the modern recommended mechanism. It forces the use of
session encryption and integrity protection before you can do any
plaintext password authentication. This generally means that you can't
log in without first negotiating SSL/TLS.

As for what else do you have to configure, you have to set up both
Certificate Authority (CA) certificates and private keys in OpenSSL as
described in Step 4. That is actually an OpenSSL configuration issue and
not an IMAP configuration issue. Sadly, most UNIX variants do a terrible
job of setting up CA certificates, much less giving you guidance on how to
install private keys, and compound the confusion by having their own
idiosynchratic locations for where the certificates and keys go.

This is something where you really need to have a local expert on hand to
help you. You may be able to get some free guidance from a web page or
from someone here instead of paying an expert. "If your site's security
isn't worth anything, then don't spent anything on security expertise."

> Oh, and I am thinking in terms of accessing the server over the wire, I
> understand about setting up /etc/services and inetd.conf files, I'm just
> having trouble picking just which variant(s) I should build.

The same comment about a local expert applies here too. It depends upon
the type of system that you have (e.g., Linux, Mac, Solaris, etc.). If
you get a good person who can sit down with you and do the necessary
handholding and explanations, I think that you'll find it well-worth the
cost.

Good luck!

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.