Hello, Wednesday, August 18, 2004, 8:53:02 PM, Mark Powell wrote: > I think you're right. I thought it could just forget the encryption if a > starttls was not issued as the 1st command, but it seems not.
I've seen some patch for stunnel 3.x (but haven't tried it, as it's for 3.x and as I have "fulltime" TLS) and it seems it addresses "negotiated TLS" - http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html > I've just set this up here, but it would still be interesting to also see > your config files. I hope I won't forget anything: # cat /service/qpsmtpd-smtps/run #!/bin/sh echo $$ > /var/run/qpsmtpd-smtps.pid QMAILDUID=`id -u qpsmtpd` NOFILESGID=`id -g qpsmtpd` MAXCLIENTS=`cat /var/qmail/control/concurrencyincoming` SMTPSCONF=/etc/stunnel/smtps.conf if [ ! -f /var/qmail/control/rcpthosts ]; then echo "No /var/qmail/control/rcpthosts!" echo "Refusing to start SMTP listener because it'll create an open relay" exit 1 fi cd /usr/local/qpsmtpd exec /usr/local/bin/softlimit -m 25000000 \ /usr/local/bin/tcpserver -c $MAXCLIENTS -v -R -p -x /etc/tcpserver/smtp.rules.cdb \ -u $QMAILDUID -g $NOFILESGID `head -1 config/IP` smtps \ stunnel $SMTPSCONF ./qpsmtpd 2>&1 =====8<===== # cat /etc/stunnel/smtps.conf # /etc/stunnel/smtps.conf client = no foreground = yes cert = /etc/ssl/certs/smtps.pem exec = pperl execargs = pperl -Tw --no-cleanup /usr/local/qpsmtpd/qpsmtpd =====8<===== the only problem I have is the error message in qpsmtpd-smtps' log: LOG3[13075:1076599168]: SSL_read (ERROR_SYSCALL): Connection reset by peer (104) it appears after accepting the message from MUA and has no effect on message delivery. It is also present in our qmail+stunnel setup, but ATM I don't know how to get rid of that. I've tried setting stunnel into daemon mode (you know, with accept=465, connect=25 and stuff), but beside message is still in the log, this method has BIG disadvantage - the connection on the server side (when stunnel is connecting to smtp) is done from 127.0.0.1, so there's issue with open relay. What's your setup? ;) -- spaze -- exploited.cz -- tojeono.cz - forget everything and remember! -
