How to enable various SSL modes with the Qpopper POP3 program focusing on running it from inetd.
In this case we are running Qpopper under inetd instead of as a stand-alone server. By default when you install the package it configures itself to listen on port 110 for unencrypted pop3 connections. We are going to enable the start TLS (STLS) command so that savy pop3 clients can upgrade to encryption on the standard port. We are going to also going to listen on a second port in "alternate-port" (aka wrapper) mode so that we will continue to support pop3 clients who are behind the times. After changing the configuration settings listed in this section, restart your inetd server and you should be good to go.
The first place we head is to the qpopper.conf file. It keeps our command line options short if we can put common and default options here. By changing the tls-support to stls and pointing tls-server-cert-file to a self-signed or other public/private key certificate file that matches our server's name we have enabled STLS for all new connections on the default POP3 port (110). The conf file has comments next to the example defaults of these two options.
Optionally you could not set tls-support here and instead modify the inetd.conf entry to use -l1.
In inetd.conf we add a new line for the ssl wrapper mode:
- pop3s stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.qpopper -f /etc/qpopper.conf -l2
We are telling inetd to listen on the pop3s port, port 995 as noted in /etc/services, for alternate-port connections. The -l2 option is after the conf file so that we can override the stls default we had set.
Optionally you could set -l1 on the existing pop-3 entry and add -l2 for the new pop3s entry.
As you read through the /etc/qpopper.conf file you may notice that the tls configuration options frequently mention that the options only work if it was compiled --with-openssl. It appears that this is the case in Debian 4.0 / 4.0.5.dfsg-0.1.