# qpopper (pop3) with ssl encryption (routines:ssl3_get_record:wrong version number)



## sidney2017 (Jan 1, 2022)

Hello and first of all a "Happy new year 2022!

In advance: I already use another solution (postfix+dovecot+pigeonhole).
But for special reasons I have to set up the sendmail+spamassassin + qpopper - scenario for a few weeks on a special machine.

Among other things, I used the following instructions as a guide for configuring qpopper with SSL/TLS:




__





						Qpop-SSL
					





					www.defcon1.org
				




I have already tried several hours today to set up qpopper so that an SSL connection can be used from the EMailClient via port 995. For TLS/SSL I use Let's encrypt certificates!
Unfortunately unsuccessful so far (see error messages below, with strange symbols/characters).
In contrast, sendmail-smtp-auth with TLS works fine.

I'm just not getting anywhere here. Have I included the wrong certificate?
I think I read somewhere a while ago that you have to merge two certificates into a single file for qpopper.

Obviously the problem has to do with the SSL-Versionnumber 3 if you have a look at the openssl connection try below.

I would be happy if someone could help me.

Thanks in advance and kind regards
Sidney2017

/var/log/messages

```
Jan 1 12:49:17 MyDomain qpopper[40447]: (null) at dslb-XXX-XXX-XXX-XXX.088.064.pools.tcom-ip.de (X.X.X.X): -ERR Unknown command: "[B][COLOR=rgb(209, 72, 65)]^V^C^A[/COLOR][/B]".
Jan 1 12:49:17 MyDomain qpopper[40447]: (null) at dslb-XXX-XXX-XXX-XXX.088.064.pools.tcom-ip.de (X.X.X.X): -ERR Unknown command: [B][COLOR=rgb(209, 72, 65)]"[/COLOR][/B][COLOR=rgb(209, 72, 65)][B]▒[/B][/COLOR][B][COLOR=rgb(209, 72, 65)]"[/COLOR][/B].
Jan 1 12:49:17 MyDomain qpopper[40447]: (null) at dslb-XXX-XXX-XXX-XXX.088.064.pools.tcom-ip.de (X.X.X.X): -ERR POP EOF or I/O Error
Jan 1 12:49:17 MyDomain qpopper[40447]: I/O error flushing output to client at dslb-XXX-XXX-XXX-XXX.088.064.pools.tcom-ip.de [X.X.X.X]: Operation not permitted (1)
```

Certbot certificates shows:

```
Certificate Name: MyDomain.tld
Serial Number: 4884fXXXXXXX94dd8a6b77ee31def515a5
Key Type: RSA
Domains: MyDomain.tld imap.MyDomain.tld mail.MyDomain.tld smtp.MyDomain.tld [URL='http://www.MyDomain.tld']www.MyDomain.tld[/URL]
Expiry Date: 2022-03-31 15:50:21+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/MyDomain.tld/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/MyDomain.tld/privkey.pem
```

Additionally following files exist:

```
/usr/local/etc/letsencrypt/live/MyDomain.tld/chain.pem
/usr/local/etc/letsencrypt/live/MyDomain.tld/cert.pem
```

/etc/services

```
# pop3 protocol over TLS/SSL
pop3s 995/tcp spop3
pop3s 995/udp spop3
```

/etc/inetd.conf

```
pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s
pop3s stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -f /etc/mail/pop/[B][COLOR=rgb(65, 168, 95)]qpopper.config[/COLOR][/B]
```

qpopper.config

```
set tls-support = alternate-port
set tls-version = default
set tls-server-cert-file = /usr/local/etc/letsencrypt/live/MyDomain.tld/cert.pem
```
I als tried "set tls-support = stls"

rc.conf

```
firewall_myservices="22/tcp 25/tcp 80/tcp 110/tcp 443/tcp 587/tcp 993/tcp 995/tcp 4190/tcp 10000/tcp 11332/tcp 11334/tcp 20000/tcp"
```

`telnet localhost 995`

```
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Qpopper (version 4.1.0) at MyDomain.tld starting. <[EMAIL]41371.1641040644@MyDomain.tld[/EMAIL]>
```

`openssl s_client -connect localhost:995`

```
CONNECTED(00000004)
34374492160:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:/usr/src/crypto/openssl/ssl/record/ssl3_record.c:358:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```

`pkg info qpopper`

```
qpopper-4.1.0_6
Name           : qpopper
Version        : 4.1.0_6
Installed on   : Tue Dec 28 12:23:44 2021 CET
Origin         : mail/qpopper
Architecture   : FreeBSD:13:amd64
Prefix         : /usr/local
Categories     : mail
Licenses       : QUALCOMM
Maintainer     : [email]eugen@FreeBSD.org[/email]
WWW            : [URL]http://www.eudora.com/products/unsupported/qpopper/[/URL]
Comment        : Berkeley POP 3 server (now maintained by Qualcomm)
Options        :
        APOP           : on
        APOP_ONLY      : off
        DOCUMENTATION  : off
        FULL_POPD_DEBUG: off
        OPENSSL        : on
        PAM            : off
        POPPASSD       : off
        SAMPLE_POPUSERS: off
        SHY_ENABLED    : off
        STANDALONE_MODE: off
        U_OPTION       : on
Annotations    :
        FreeBSD_version: 1300139
        cpe            : cpe:2.3:a:qualcomm:qpopper:4.1.0:::::freebsd13:x64:6
        repo_type      : binary
        repository     : FreeBSD
```


----------



## covacat (Jan 1, 2022)

you may be better off with 'normal' qpopper and stunnel


----------



## BjarneB (Jan 1, 2022)

I don't know anything about qpopper, but the error from openssl means that qpopper or whatever is listening on port 995 is not using a certificate at all. 
Try:  openssl s_client -debug -connect localhost:995  for more output.
With a connection to something that returns a certificate, you should see the presented certificate.


----------



## BjarneB (Jan 1, 2022)

Hm, a quick look for qpopper shows some very old info, and the admin guide suggest TLSv1  and ssl v1+2.
Maybe look for something more modern?
I don't think I would install this.


----------



## sidney2017 (Jan 1, 2022)

BjarneB said:


> I don't know anything about qpopper, but the error from openssl means that qpopper or whatever is listening on port 995 is not using a certificate at all.
> Try:  openssl s_client -debug -connect localhost:995  for more output.
> With a connection to something that returns a certificate, you should see the presented certificate.


Hi,

with the -debug param openssl s_client shows up the same output like before!

Thanks and kind regards
Sidney2017


----------



## sidney2017 (Jan 1, 2022)

BjarneB said:


> Hm, a quick look for qpopper shows some very old info, and the admin guide suggest TLSv1  and ssl v1+2.
> Maybe look for something more modern?
> I don't think I would install this.


You are totally right!
Like mentioned in my 1st post I am usually using dovecot but I have to work with qpopper for a short time because of special reasons.

Kind regards
Sidney2017


----------



## sidney2017 (Jan 1, 2022)

covacat said:


> you may be better off with 'normal' qpopper and stunnel


Hello,

I hear today you for the first time from stunnel and will try to get further information about how to use it with qpopper und FreeBSD.

Thanks and kind regards
Sidney2017


----------



## covacat (Jan 1, 2022)

stunnel adds ssl/tls support for programs that dont support it
listens on 995 and redirects to 110
pkg install stunnel and read its docs


----------



## sidney2017 (Jan 1, 2022)

Hello,

several hours later I am still struggling with stunnel although I followed the "_HOWTO: Setting up STUNNEL in FreeBSD_"-Guide here at FreeBSD.org:








						HOWTO: Setting up STUNNEL in FreeBSD
					

Say, there is a newsserver which offers additional to port 119 a secure connection on port 563. You have an account with your username and password on that newsserver and you would like to use a newsreader which is unable to handle secure connections (e.g. Knode).  For safety reasons stunnel...




					forums.freebsd.org
				




Starting stunnel always results in permission errors:


> 2022.01.01 21:48:30 LOG5[ui]: Switched to chroot directory: /var/run/stunnel
> 2022.01.01 21:48:30 LOG3[ui]: Cannot create pid file /stunnel.pid
> 2022.01.01 21:48:30 LOG3[ui]: create: Permission denied (13)


and


> [.] Switched to chroot directory: /var/run/stunnel
> [!] Cannot open log file: /var/log/stunnel.log


when additionally enabling logging.

Does anyone have an idea why the implementation of the above guide does not work for me?

The current permissions of /var/run/stunnel
drw--w--w-  2 stunnel  stunnel       stunnel

Thanks in advance and kind regards
Sidney2017

*/usr/local/etc/stunnel/stunnel.conf*


> ; **************************************************************************
> ; * Global options                                                         *
> ; **************************************************************************
> ; some debugging stuff useful for troubleshooting
> ...



*/usr/local/etc/rc.d/stunnel start*


> Starting stunnel.
> 2022.01.01 21:48:30 LOG6[ui]: Initializing inetd mode configuration
> 2022.01.01 21:48:30 LOG7[ui]: Clients allowed=917876
> 2022.01.01 21:48:30 LOG5[ui]: stunnel 5.60 on amd64-portbld-freebsd13.0 platform
> ...



Same "permission problem" occurs when setting
output = /var/log/stunnel.log
in /usr/local/etc/stunnel/stunnel.conf

*[.] Switched to chroot directory: /var/run/stunnel
[!] Cannot open log file: /var/log/stunnel.log*
[ ] Unbinding service [pop3s]
[ ] Service [pop3s] closed (FD=10)
[ ] Service [pop3s] closed (FD=11)
[ ] Service [pop3s] closed


----------



## covacat (Jan 1, 2022)

chown stunnel:stunnel /var/run/stunnel


----------



## sidney2017 (Jan 1, 2022)

Hi,

thanks for your hint!

But I already wrote in my last post:


> *The current permissions of /var/run/stunnel*
> drw--w--w-  2 stunnel  stunnel       stunnel



Kind regards
Sidney2017


----------



## covacat (Jan 1, 2022)

chmod 750 that dir


----------



## sidney2017 (Jan 1, 2022)

Hello,

thank you very much!

Indeed the "chmod 750" of /var/run/stunnel solved the mentionend permission problem ("Cannot create pid file /stunnel.pid*")*
Obviously "chmod 0622 stunnel" like described in the "HOWTO: Setting up STUNNEL in FreeBSD" is not correct.

Setting "_output = /var/log/stunnel.log_" in /usr/local/etc/stunnel/stunnel.conf to /stunnel.log solved the trouble with the "stunnel.log"-creation.
/var/log/stunnel.log was outside the chroot-Environment!

So the next step is to test it with my EMail-Client and - if successfull - activating it with inetd.

Kind regards
Sidney2017

*/usr/local/etc/rc.d/stunnel start*


> Starting stunnel.
> 2022.01.01 22:59:07 LOG6[ui]: Initializing inetd mode configuration
> 2022.01.01 22:59:07 LOG7[ui]: Clients allowed=917876
> 2022.01.01 22:59:07 LOG5[ui]: stunnel 5.60 on amd64-portbld-freebsd13.0 platform
> ...


----------



## sidney2017 (Jan 1, 2022)

Here we go ...

One may hardly believe it. When I now want to retrieve mails with Thunderbird via port 995 with SSL/TLS via stunnel I get exactly the *same error message as when using qpopper, which I had mentioned in my initial post:*



> 2022.01.01 23:19:57 LOG7[3]: TLS state (connect): SSLv3/TLS write client hello
> 2022.01.01 23:19:57 LOG3[3]: *SSL_connect: /usr/src/crypto/openssl/ssl/record/ssl3_record.c:358: error:1408F10B:SSL routines:ssl3_get_record:wrong version number*



Now I am exactly where I was with qpopper. 

Any idea what I could do?

Thanks and kind regards
Sidney2017


----------



## covacat (Jan 1, 2022)

try https://helpx.adobe.com/adobe-connect/kb/disable-sslv3.html


----------



## sidney2017 (Jan 1, 2022)

I tried it with the options mentioned by Adobe (your link)
and further options like 

sslVersion = TLSv1.2
sslVersionMin = TLSv1.1
sslVersionMax = TLSv1.2
options = NO_SSLv3

Always the same result: 



> ...
> 2022.01.02 00:10:29 LOG6[0]: SNI: sending servername: localhost
> 2022.01.02 00:10:29 LOG6[0]: Peer certificate not required
> 2022.01.02 00:10:29 LOG7[0]: TLS state (connect): before SSL initialization
> ...



*May it have to do with the openssl version?*

/usr/*bin*/openssl version
OpenSSL 1.1.1k-freebsd  25 Mar 2021

Installed package with "pkg install openssl"

Kind regards
Sidney2017
/usr/*local/bin*/openssl version
OpenSSL 1.1.1l  24 Aug 2021

How can one make _/usr/*local/bin*/openssl_ the default openssl?


----------



## covacat (Jan 1, 2022)

try
openssl s_client -connect yourhost:995
user john
pass password
list
retr 1
quit


----------



## sidney2017 (Jan 1, 2022)

Hello covacat,

thanks for your assistance!

I get the the same results I presented in my first post related to _qopper _(even same /var/log/messages results).

Kind regards
Sidney2017

*openssl s_client -connect MyDomain.tld:995*



> CONNECTED(00000004)
> *write:errno=54*
> ---
> no peer certificate available
> ...



*/var/log/messages*


> Jan  2 00:23:38 MyDomain stunnel[56663]: LOG5[ui]: UTF-8 byte order mark detected
> Jan  2 00:23:38 MyDomain stunnel[56663]: LOG4[ui]: Service [pop3s] needs authentication to prevent MITM attacks
> Jan  2 00:23:38 MyDomain stunnel[56663]: LOG5[ui]: Configuration successful
> Jan  2 00:23:38 MyDomain stunnel[56663]: LOG5[ui]: Switched to chroot directory: /var/run/stunnel
> ...


----------



## covacat (Jan 1, 2022)

remove the client yes option from stunnel.conf


----------



## sidney2017 (Jan 2, 2022)

Hello covacat,

removing "_client = yes_" solved the last problem I had!

Thank you very much for your extraordinary help!

What made you think that it could be the "client = yes" entry?
To be honest I am not aware about what exactly this entry does

Best regards
Sidney2017


----------



## covacat (Jan 2, 2022)

googled the ssl error and found out its related to ssl connection to non ssl daemon
client = yes made stunnel to try to connect with ssl to qpopper@110


----------

