Compiling UW imapd with SSL on Solaris 10

I've been running IMAP over SSL for a while on Solaris, but until recently I've used STunnel to provide the SSL support in front of a plain IMAP daemon. I've known that you could compile SSL into imap for a while but never really looked into it until Rama figured out the magic certificate generation piece.

But what Rama did was to just install the Sunfreeware version of imapd. I have a love/hate relationship with those types of distributions, so I decided to look at compiling it myself. Heck Solaris includes OpenSSL so it should be easy.

Well, actually, I couldn't get it to build with the version of OpenSSL that ships with Solaris. Looking at syslog I'd see messages like: 

Mar 14 10:23:24 watt imapd[5834]: [ID 853321 mail.error] SSL error status: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable

And looking at the imapd binary I saw a missing libcrypto_extra. Searching the net I saw a bunch of people talking about it. It appears that this is no longer needed with Solaris 10, but others say that you need to install {{SUNWcry}} package. Well, I must be a loser because I could not find enough info to make it work.

So I decided to just compile up a fresh copy of OpenSSL to use to compile imapd. So here's what I did.

Compiling OpenSSL -- its pretty trivial to do, in this day and age, however my first attempt compiled it 64bit, and imapd had issues with that. There are a few extra configuration parameters to force it to 32 bit. Here's the Configure line. 

Configure --prefix=/opt/openssl-0.9.8e 386 shared solaris-x86-gcc

After that.. Compile and Install... 

gmake
gmake install

Compiling Imapd -- The instructions in docs/SSLBUILD go over the basics. But there were a few additional changes I needed to make. The main change was to make sure imap was built with my OpenSSL instead of the Solaris version. All these changes were to src/osdep/unix/Makefile:

Fist I set the SSLDIR and SSLCERTS variables to where I wanted them: 

SSLDIR=/opt/openssl
SSLCERTS=/etc/sfw/openssl/certs

Next, I forced it to use the static version of libcrypto.a by changing SSLCRYPTO: 

SSLCRYPTO=$(SSLLIB)/libcrypto.a

Finally, I need to force it to use my static version of libssl.a. 

SSLLDFLAGS= -L$(SSLLIB) $(SSLLIB)/libssl.a $(SSLCRYPTO) $(SSLRSA)

After that. Simply compile it up, and install it where ever you want: 

gmake gso
mkdir /opt/bin
cp imapd/imapd /opt/bin

Configuring the imapd certificate -- Thanks to Rama on the magic OpenSSL command. All that you really do is create a PEM certificate called imapd.pem in the OpenSSL certs folder: 

cd /opt/sfw/openssl/certs
openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 3650

Starting imapd from inetd -- Ok well now with Solaris 10 this is done though SMF, but inetd has a conversion utility to do this. I put the following line in /etc/inetd.conf 

imaps stream    tcp     nowait root     /opt/bin/imapd  imapd

Then added a line to /etc/services 

imaps           1143/tcp        imap2           # Internet Mail Access Protocol v2

Then just run inetconv per instructions in inetd.conf and bob's your uncle.

Posted on: Mar 14, 2007

Posted by: mock

Category: Sun

Tags: none

Permanent link to this entry

Comments:

Just to point out to the uninitiated, the port used in /etc/services is typically 993, and is what tools like Thunderbird will default to. If you use a different port selection as you've done, you'll need to be sure to override the default in your mail client.

Posted by rama on March 14, 2007 at 12:18 PM PDT #

Whoops. Good point Rama. For "historical" reasons I use a a non-default secure imap port, but port 993 is default.

Posted by Joe Mocker on March 18, 2007 at 09:46 PM PDT #

Thank you for this blog post. (Thank Google for finding it!) It helped me a lot. I was trying to setup UW IMAP with PAM and SSL. I tried the OpenSSL provided with Solaris-10 11/2006. I also tried OpenSSL as packaged by Blastwave. I experienced a number of compile errors until I tried your approach. Please note that I set my SSLDIR to match the --prefix setting. Also, I am on SPARC to my configure command was: Configure --prefix=/opt/openssl-0.9.8e shared solaris-sparcv9-gcc Regards, Joe Kotran

Posted by Joseph Kotran on March 29, 2007 at 02:14 PM PDT #

Thank you thank you for this set of instructions; I've usually had great luck with the sunfreeware.com packages, but in this case I spent hours fiddling with the server just failing to make a secure connection and not telling (in syslog) what the problem is. I used Kotran's comment to compile on SPARC.

I used the following resource that explains how to put signed certificates into a form that the imapd/openssl combination can understand, and I used cacert.org to sign my certificates:

http://gagravarr.org/writing/openssl-certs/personal.shtml#uw-imap

Next step is to figure out whether I can make imapd allow unencrypted sessions on port 143 for internal and legacy clients, and require encryption on port 993 for external connections. Any suggestions? Thanks again!

Posted by Steve Gaede on April 02, 2007 at 03:23 PM PDT #

Steve, Did you try just setting up an SMF/inetd service for the plain IMAP (143) service? It might just work. During my tinkering I did notice that the imapd seemed to determine what to do based on the /etc/services entry it found for the port it was running on. When I took out the entry for imaps in /etc/services, it didn't seem to work right anymore. Also, check out the SSLBUILD file, I seem to recall some options there.

Posted by Joe Mocker on April 02, 2007 at 03:33 PM PDT #

Ugh. I've spent the past few days trying to get UW imapd to work on OpenSolaris11. I compiled UW-imapd against blastwave SSL pkg, then tried Sun Freeware SSL pkg, and also built openssl from scratch several times. It doesn't matter what I do -- I always get the error: 

Jun 28 15:58:04 osa.bitpusher.org imapd[4006]: [ID 853321 mail.error] SSL error status: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable

I know this is related to the missing cipher suite (AES 256), based on several posts I've read. The only thing that is done differently here (i.e. this posting) is UW-imap is compiled using a static ssl library -- I'm not sure why this fixes it. I followed your instructions to a T and my imapd wouldn't even work (with the static lib.)

Can someone explain to me why compiling UW-imap with the static ssl library fixes this issue? I still have not gotten it to work, and I'm going nuts.

Thanks for any input.

Posted by Christian Gough on June 28, 2007 at 09:09 AM PDT #

Heh. Well, my last posting was premature. I recompiled everything from scratch, following these instructions, and finally got it to work...so I must have done something stupid the first time. Thanks so much for this posting!

Posted by Christian Gough on June 28, 2007 at 09:30 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by mock