ATT Worldnet SSL stunnel

CONNECTING TO ATT WORLDNET OVER THE INTERNET
By Jay O'Brien
jayobrien@att.net
March 2, 2002

Warning:

This is not intended as a step-by-step set of instructions. This is documentation of what I did to enable a Secure Sockets Layer (SSL ) encrypted connection to ATT Worldnet so as to be able to access email and ATT's News server over my non-ATT DSL connection. This is really written to help me should I need to do this again or to troubleshoot my setup. You are on your own following this document; all the necessary reference material (and then some) is linked below. I cannot provide technical assistance beyond this document itself. I hope it is useful, and I would very much appreciate advice about any errors contained herein.

Preface:

This setup follows the WURD and ATT instructions for email and for news, using a program called stunnel. To access the News server, you must sign up as a "beta tester", as ATT hasn't (at this time) turned it loose without controls. Click here (when dialed up to ATT) to learn about SSL news. The url is http://netnews.worldnet.att.net/inetnews_announce.html.

My Setup:

I have a small LAN behind a router. I have a dial-up modem on a computer which will dial out to ATT Worldnet when the IP addresses that are only accessible via dial-up are called for by my mail client, browser or other program. My multihoming setup is described here. My preferred Mail and Browser clients are Netscape 4.79; I also run Outlook Express and Internet Explorer 5.5 SP2.

Some Facts:

This information applies to ATT Worldnet and specifics may vary:
Service                       URL                          IP               TCP/IP Port
Regular Outgoing Mail (SMTP)   mailhost.att.net              204.127.8.31      25
SSL Outgoing mail (SMTP)       imailhost.worldnet.att.net    204.127.134.146   465

Regular Incoming mail (POP3) postoffice.att.net 204.127.5.31 110
SSL Incoming mail (POP3) ipostoffice.worldnet.att.net 204.127.134.145 995

Regular News server (NNTP) netnews.att.net 204.127.36.1 119
SSL News server (NNTP) inetnews.worldnet.att.net 204.127.161.11 563

Netscape 4.79:

Netscape 4.79 can be set up to access SSL News on port 563. However, Netscape 4.79 is only capable of non-SSL mail; it must receive (POP3) on port 110 and send (SMTP) on port 25. Netscape is told to communicate with stunnel, and stunnel is told to communicate with the ATT mail servers.

Create Netscape Profile:

As I want to be able to easily revert to the non-SSL dial-up configuration, rather than change the Netscape profile to reflect the new SSL values, I created a new user profile for the SSL connection. I set it up to use the existing mail folders, address book, and bookmarks that exist in the old profile. I copied my existing preferences to the new profile. This is NOT necessary if it isn't required to be able to revert to non-SSL mail.

Note that my existing files are in the directory D:\Netscape\Users\jayobrien.att\. My mail and news files are on the D drive as part of my backup scheme; there is no requirement that they be placed on the D drive.

Run Netscape:

Netscape|Manage Profiles|New|Next
Full Name: Jay O'Brien
Email Address: leave blank
Next
Profile Name: jayobrien.attssl
Directory: D:\Netscape\Users\jayobrien_attssl (this is generated by Netscape)
Outgoing Mail server: (leave as "mail" for now)
Finish

Netscape opens: close Netscape.

Copy these files from old User directory to D:\Netscape\Users\jayobrien_attssl: cookies.txt ,custom.dic, liprefs.js, prefs.js.

Run Netscape on new profile, make these changes:

Edit|Preferences|Mail Servers Delete existing postoffice.att.net
Add Server name 127.0.0.1 | Type POP3 | User name jayobrien@att.net |
check remember password | Check for mail every 4 minutes |
Change outgoing mail server to 127.0.0.1 |
Outgoing mail server user name jayobrien@att.net |
Use SSL: never |
Note: local mail directory is D:\Netscape\Users\jayobrien.att\Mail
(this came from the prefs.js file moved from the other directory)
OK

Close Netscape.

In D:\Netscape\Users\jayobrien_attssl\:

delete all subdirectories (it is using those under D:\Netscape\Users\jayobrien.att\)
Edit prefs.js: change user pref to point to address book as follows:
user_pref("ldap_2.servers.pab.filename", "D:\\Netscape\\Users\\jayobrien.att\\pab.na2");
Edit prefs.js: change user pref to point to bookmarks as follows:
user_pref("browser.bookmark_location", "D:\\Netscape\\Users\\jayobrien.att\\bookmark.htm");
Delete pab.na2 (address book file not used)
Delete boookmark.htm (bookmark file not used)

Stunnel:

From stunnel.org, install:

C:\stunnel\stunnel-3.22.exe
C:\WINDOWS\SYSTEM\libeay32.dll
C:\WINDOWS\SYSTEM\libssl32.dll

From WURD, install:

C:\stunnel.bat

Note: The stunnel.bat file is three lines, as follows:
start /m C:\stunnel\stunnel-3.22.exe -c -d 110 -r ipostoffice.worldnet.att.net:995
start /m C:\stunnel\stunnel-3.22.exe -c -d 25 -r imailhost.worldnet.att.net:465
exit

The stunnel.bat file uses the 'start' command to run the windows stunnel.exe program. The /m argument runs the program "minimized", or in the background. The stunnel arguments used are: -c, client mode, which expects the "other end" to speak SSL; -d [port], run in daemon mode listening on port [port] on all IP addresses; -r [host:port], connect to remote service/port.

The batch file above will load two copies of stunnel.exe. The first one talks unencrypted to Netscape on port 110 and talks encrypted (SSL) to ATT's POP3 server on port 995. The second copy of stunnel talks to unencrypted Netscape on port 25 and talks encrypted (SSL) to ATT's SMTP server on port 465.

Make shortcut to stunnel.bat and put it on desktop. Rename it "Stunnel".Set shortcut to close on exit and to run minimized. Change the Icon (choose from selection).

When stunnel.bat is run by clicking on the shortcut, it will install the two copies of stunnel.exe and close. The two stunnel copies will stay loaded and will show in the task bar. To close stunnel, click on it in the task bar and press control-c.

Operation:

To access ATT Worldnet email via SSL over the internet, run stunnel and then select the new Netscape profile. To use the non-SSL dial-up, close Netscape and select the old user profile. Note that the cookies will be different as I haven't found a way to share cookies between profiles. The SSL email and news also works fine via dial-up to ATT; the only reason to revert to the non-SSL profile would be in the case where there is a problem with the SSL servers on the ATT end. I switch the routing between DSL and dialup using a "Route" command; see multihoming for a discussion.

It is necessary on occasion to type in the user ID jayobrien and the password for that user ID to send and receive email and News. One time I had a problem and when I typed in jayobrien@att.net as the ID, then it worked. I don't know if that was the reason. Note that Netscape will now display a connection to 127.0.0.1, the stunnel address, rather than the ATT server urls when communicating with the servers.

Note that ATT Worldnet account information and certain web pages may only be accessed when dialed-up to ATT. Some examples are as follows:

AT&T WorldNet Member Services --   https://memberservices.att.net/ (204.127.43.30 ; 204.127.12.31)
webmail.att.net -- http://webmail.att.net (204.127.12.35)
AT&T WorldNet®: Beta Site --   https://betasite.worldnet.att.net/ (204.127.43.162)
www.worldnet.att.net   -- http://www.worldnet.att.net (204.127.12.39 ; 204.127.43.37)

Open Issues:

SHUT DOWN STUNNEL
How to gracefully shut down stunnel? The best way seems to be to click on the task bar button to open the window, then hit Ctrl-C. This avoids the error window and the need to click on it. Stunnel docs say that stunnel, in daemon mode, will accept TERM, QUIT and INT commands to shut it down, but I don't know how to do this with stunnel as I am running it. I haven't been able to get a response on the stunnel mailing list. It would be nice to be able to run a batch file to shut stunnel down.

PASSWORDS
There doesn't seem to be any logic to when passwords and user IDs are needed. It isn't a problem, but is curious.

LARGE ATTACHMENTS - SEND EMAIL
I note that if I send a large attachment (1 MB plus) to an email message, that the Netscape (v4.79) window "Mail Message Sent; waiting for reply..." doesn't ever go away, as if the mail was not acknowledged. The window goes away right away with small email messages. The message isn't actually sent until I hit "cancel" in that window. Then the email is sent ok, but the message I sent is not moved into the "sent" folder in Netscape. More research is needed here.

COOKIE SHARING BETWEEN PROFILES
Is there a way to share cookie files between Netscape profiles, like that possible with address book, bookmarks, mail files, etc?

/end/