Communicating with Mail Servers
The UPOPMAIL component uses the Uniface network connectors to communicate with the POP3 and SMTP servers. Both TCP and TLS are supported and you can configure the behavior of these connectors using connector options.
The TCP connector creates the physical connection for both TCP/IP and TLS connections. When you set connector options for the TCP connector, these settings stay in effect for all TCP and TLS connections. To use TLS for communication with mail servers, you must also specify TLS connector options.
For more information on these connectors, see TCP Connector and TLS Connector.
Connecting Using TLS
For TLS, you will probably need to secure the communication through the use of certificates. (Although the TLS connector supports the use of a shared key, this is unlikely to be used for communication with mail servers.) For more information, see Digital Certificates.
When using TLS and a certificate, the UPOPMAIL component takes the role of a TLS client and the mail server acts as TLS server. For more information, see Certificate-Based Authentication.
The client normally needs to verify the server, so the UPOPMAIL application needs to specify the TLS connector options for a client verifying a server. The server will send its certificate and the client must verify it. To do so, the client must have the CA certificate from the certification authority (CA) that signed the server certificate, proving it trusts the server. Bundles of CA certificates are available over the internet. For more information, see Certificate Authorities.
When verifying a certificate, peer name verification is also performed. Depending on the CA bundle, the name in the certificate may not match exactly with the server address used. In this case, either obtain a certificate that does match exactly, or use the option to disable peer name verification. For more information, see the TLS connector options verify_server, ca_certificate, and verify_server_name.
For example a typical setting to verify a mail server might be:
;client.asn [DRIVER_SETTINGS] USYS$TLS_PARAMS verify_server=1, ca_certificate=cacert.pem, verify_server_name=0
When making a connection to a mail server with TLS, there are two possibilities:
- Making a direct connection to the mail server using TLS. This method simply involves specifying TLS as the protocol in the server address when using the LogonMail or LogonSMTP operations. Using this method, you can make use of a TLS profile. For more information, see LogonMail, LogonSMTP, and TLS Connection Profiles.
- Making the initial connection to the mail server using TCP, and then upgrading it to a TLS connection using the STARTTLS security driver. This approach is only possible if the mail server supports the
STARTTLS
extension. Using this method, you cannot use a TLS profile, so you must use the USYS$TLS_PARAMS connector driver setting to specify TLS options. For more information, see SMTP STARTTLS Security Driver
Troubleshooting
If you are having trouble getting UPOMAIL to work with TLS, set $IOPRINT=64 to obtain extensive logging of the UPOPMAIL actions and review TLS Troubleshooting.
If a connection cannot be made or upgraded, make sure you have specified a PEM formatted CA certificate bundle that contains the CA certificate that signed the server certificate. To see the certificate that the server is using you can use the openssl
utility.
The following command displays the mail server certificate. The Certificate Authority is specified as the issuer
.
openssl s_client -connect mail_server:port -showcerts -state
To actually verify the CA certificate, add -verify
and -CAfile
openssl s_client -verify 2 -connect mail_server:port -showcerts -state -CAfile cacert.pem