wildduck icon indicating copy to clipboard operation
wildduck copied to clipboard

Published 20 hours ago verified publisher icon nodemailer

POP3 not working without ssl

Open MohamedAmineOuali opened this issue 3 years ago • 5 comments

Hello,

I have deployed WildDuck on Kubernetes and I am using Traefik as a reverse proxy.

Most of the things are working I can receive and send emails. However, I am facing 2 problems. Let's start with the first one.

I believe that the POP3 protocol isn't working without SSL on port 143. However, it works fine if I enable SSL with port 995.

When I try to connect to POP3 with or without Traefik I receive the error command is not valid in this state pop3

There is no much information about this error on the internet. If, I use telnet the error accrue when I try to send the command USER username this is the first command in the POP3 if used with TELNET. It seems that this error occurs if the POP3 want to establish an SSL connection but the client used telnet. However, in my case, I didn't activate POP3 for SSL communication.

This is the configuration file used for no SSL support (only port 110 without SSL will be activated)

# If enabled then WildDuck exposes a limited POP3 interface for listing and fetching emails
enabled=true
port=110
# by default bind to localhost only
host="0.0.0.0"

# If true, then disables STARTTLS support
disableSTARTTLS=true

# Use `true` for port 995 and `false` for 110
secure=false

# If true, then do not show server info in CAPA response
disableVersionString=false

# How many latest messages to list for LIST and UIDL
# POP3 server never lists all messages but only a limited length list
maxMessages=250

# Max donwload bandwith per day in megabytes
maxDownloadMB=10000

# If true, then expect HAProxy PROXY header as the first line of data
useProxy=false

# an array of IP addresses to ignore (not logged)
ignoredHosts=[]

#name="WildDuck POP3"
#version="1.0.0"

[tls]
# If certificate path is not defined, use global or built-in self-signed certs
#key="/path/to/server/key.pem"
#cert="/path/to/server/cert.pem"

[setup]
# Public configuration for POP3
#hostname="email-server.mail-server"
secure=true
# port defaults to pop3.port
port=995

This is the configuration that uses SSL with port 995 and it works file with self-generated certificate.

# If enabled then WildDuck exposes a limited POP3 interface for listing and fetching emails
enabled=true
port=995
# by default bind to localhost only
host="0.0.0.0"

# If true, then disables STARTTLS support
disableSTARTTLS=false

# Use `true` for port 995 and `false` for 110
secure=true

# If true, then do not show server info in CAPA response
disableVersionString=false

# How many latest messages to list for LIST and UIDL
# POP3 server never lists all messages but only a limited length list
maxMessages=250

# Max donwload bandwith per day in megabytes
maxDownloadMB=10000

# If true, then expect HAProxy PROXY header as the first line of data
useProxy=false

# an array of IP addresses to ignore (not logged)
ignoredHosts=[]

#name="WildDuck POP3"
#version="1.0.0"

[tls]
# If certificate path is not defined, use global or built-in self-signed certs
#key="/path/to/server/key.pem"
#cert="/path/to/server/cert.pem"

[setup]
# Public configuration for POP3
#hostname="email-server.mail-server"
secure=true
# port defaults to pop3.port
port=995

I have managed to configure things with the IMAP protocol and everything works fine. I have exposed the IMAP without SSL on port 143 and I used Traefik with "letsencrypt" SSL certificate to communicate with IMAP using ssl.

This is the configuration I used for IMAP

# If enabled then WildDuck exposes an IMAP interface for listing and fetching emails
enabled=true
port=143
host="0.0.0.0"

# Use `true` for port 993 and `false` for 143. If connection is not secured
# on connection then WildDuck enables STARTTLS extension
secure=false

# Max size for messages uploaded via APPEND
maxMB=25

# delete messages from \Trash and \Junk after retention days
retention=30

# Default max donwload bandwith per day in megabytes
maxDownloadMB=10000

# Default max upload bandwith per day in  megabytes
maxUploadMB=10000

# Default max concurrent connections per service per client
maxConnections=15

# if `true` then do not autodelete expired messages
disableRetention=false

# If true, then disables STARTTLS support
disableSTARTTLS=true

# If true, then advertises COMPRESS=DEFLATE capability
enableCompression=false

# If true, then expect HAProxy PROXY header as the first line of data
useProxy=false
# useProxy=true # expect PROXY from all conections
# useProxy=['*'] # expect PROXY from all conections
# useProxy=['1.2.3.4', '1.2.3.5'] # expect PROXY only from connections from listed IP addresses

# an array of IP addresses to ignore (not logged)
ignoredHosts=[]

#name="WildDuck IMAP"
#version="1.0.0"
#vendor="WildDuck"

# Add extra IMAP interfaces
#[[interface]]
#enabled=true
#port=9143
#host="0.0.0.0"
#secure=false
#ignoreSTARTTLS=true

# If true then EXPUNGE is called after a message gets a \Deleted flag set
autoExpunge=true

[setup]
# Public configuration for IMAP
hostname="bot.ipomm.tech"
secure=true
# port defaults to imap.port
port=993

[tls]
## If certificate path is not defined, use global or built-in self-signed certs
#key="/path/to/server/key.pem"
#cert="/path/to/server/cert.pem"

## You can also define extra options for specific TLS settings:

#ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

#secureProtocol="SSLv23_server_method"

## constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_TLSv1 => 100663296
#secureOptions=100663296


#[[interface]]
#enabled=true
#port=9143
#host="0.0.0.0"
#secure=false
#ignoreSTARTTLS=false

Note I can communicate with IMAP internally and directly using port 143 and externally using Trafeak with SSL.

This is the configuration that I would like to enable for POP3

As for the versions I am using the latest docker image.

MohamedAmineOuali avatar Mar 11 '21 01:03 MohamedAmineOuali

It seems that not all the available config options are listed in the default config file. You should also add ignoreSTARTTLS=true or WildDuck POP3 rejects authentication requests for cleartext connections.

andris9 avatar Mar 11 '21 07:03 andris9

I guess it's kind of a bug as you have already suppressed STARTTLS support with disableSTARTTLS option and as such should not need to also use the ignoreSTARTTLS option.

andris9 avatar Mar 11 '21 07:03 andris9

Wow, thank you very much it works. I am grateful. Btw is it possible to have the server listing on both 110 and 995 with SSL?

Thank you again.

MohamedAmineOuali avatar Mar 12 '21 03:03 MohamedAmineOuali

@MohamedAmineOuali Any chance you could share your manifest files?

altitudems avatar Oct 03 '21 02:10 altitudems

This issue is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Feb 19 '24 01:02 github-actions[bot]

This issue was closed because it has been stalled for 15 days with no activity.

github-actions[bot] avatar Mar 07 '24 01:03 github-actions[bot]