Hi, I have checked out popa3d from the OpenBSD tree from 20131214 (that's the day before it was tedu'd) and wrote a tls multiplexer to it. I also added an imsg framework to further protect shadowed passwords when getpwnam_shadow() is used. The popa3d is unveiled from the start, and much later pledges because under pledge /etc/spwd.db can't be read. But because of privsep the network facing TLS multiplexer can pledge with "stdio", which is awesome.
The tarball is here: https://www.centroid.eu/public/popa3d-tls-20181218.tgz My repo is here: https://centroid.eu/cgi-bin/cvsweb/popa3d/popa3d/ Hints on improvement welcome! I'm hopefully going to have a maildir format in the early weeks in january (have to write it unless I find code somewhere for it). Until then I'm probably not using it in production. I have never run a client on it but I have used the POP3 commands USER, PASS, LIST, RETR, DELE and TOP on it and it worked. One thing you'll need is a configfile, mine looks like this in /etc/popa3d.conf: -----------> listen on 0.0.0.0 port 995 listen on :: port 995 tls certfile "/etc/ssl/popserver.crt" tls keyfile "/etc/ssl/private/popserver.key" <---------- You make the tls keys with help from the ssl manpage. Also when you test this be sure to give openssl s_client the -quiet flag other wise you'll be tripped up on RETR command which is renegotiation for openssl s_client. Finally a project that isn't a complete failure! Because of unveil and pledge this program is not portable to any OS other than OpenBSD, but I don't count on this being taken from the attic back into the source environment... maybe we can make it a port? Patches for me are welcome! Regards, -peter