7 Replies Latest reply on Apr 16, 2004 4:29 AM by Kabir Khan

    POP3 and TLS

    Kabir Khan Master

      I have written the code for the TLS support for POP3, but am struggling to find a (free) mail client for Windows that supports STLS. If anybody knows of one please let me know, since I cannot test it.

      I think the following from section 7 in rfc 2595 says that STLS is not common, but recommended as opposed to running with SSL.

      Use of separate ports for SSL has caused clients to implement only
      two security policies: use SSL or don't use SSL. The desirable
      security policy "use TLS when available" would be cumbersome with
      the separate port model, but is simple with STARTTLS.

      Maybe we should implement SSL for POP and SMTP as well as TLS? It should just be a case of creating an extra ServerThread for each protocol listening on separate ports and using an SSLServerSocket by default.



        • 1. Re: POP3 and TLS
          Kabir Khan Master

          The changes have been commited. So far I have not been able to find a client allowing me to test it. I have left it disabled in jboss-service.xml for now, so at least it does not break anything.

          The only client I found supporting TLS was Eudora, but once the CAPA command returns STLS as one of its capabilities it simply issues a QUIT command and exits (rather than issuing the STLS command). So, if anybody knows of any clients supporting TLS for POP (Rather than SSL) please let me know, or try it out yourselves.



          • 2. Re: POP3 and TLS
            Andrew Oliver Master

            Yeah I think we should have SSL as well as TLS. Of course I thought they were the same thing doh.. It seemed logical at the time to divide thread pools by protocol and port. Would it now be more logical to make thread pools a seperate concept to be shared among port/protocol?

            By default TLS and SSL should be disabled. I plan on putting instructions here: http://jboss.org/wiki/Wiki.jsp?page=MailServicesInstallingM1 as well as include them in the release. The reason being is that I don't want people to think they have TLS/SSL without setting up a keystore, etc.

            • 3. Re: POP3 and TLS
              Kabir Khan Master

              If I have understood you correctly, I think it makes sense for the protocol to depend on the thread pools, rather than the thread pools depending on the protocol.

              Maybe we could end up having just one server MBean, and define lists of secure and non-secure ports for the protocol to listen on and then on startup of the protocol make the server listen on the ports required if you get what I mean?

              For M1 or later?

              • 4. Re: POP3 and TLS
                Andrew Oliver Master

                Yeah lets think of it around M3.

                • 5. Re: POP3 and TLS
                  Michael Krause Newbie


                  "acoliver" wrote:
                  Yeah lets think of it around M3.


                  I read this too late and already did some changes that enable POP3/SSL. I added a new attribute to ServerMBean named "UsesSSL" that will cause the server to open a secure socket. So to support POP3/SSL (actually with this implementation it could also be IMAP, etc.../SSL) one has to configure another ServerMBean and name it accordingly, e.g.

                  Using this approach one can configure the server-parameters individually for secure and non-secure sessions, which might be an issue because of the different workload a secure connection causes.


                  • 6. Re: POP3 and TLS
                    Andrew Oliver Master

                    No thats fine, I was talking about thread pools. Totally awesome that you've already got POP/SSL! Thats awesome.