On Fri, 20 Aug 2004, spaze wrote: > Wednesday, August 18, 2004, 8:53:02 PM, Mark Powell wrote: > > I think you're right. I thought it could just forget the encryption if a > > starttls was not issued as the 1st command, but it seems not. > > I've seen some patch for stunnel 3.x (but haven't tried it, as it's for 3.x > and as I have "fulltime" TLS) and it seems it addresses "negotiated TLS" - > http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html
Yeah, I saw that on my travels, but decided not to use it. I didn't see any point in using stunnel 3.x, but it did seem attractive having the client optionally doing ecryption with starttls. That way we could just provide the optional encryption on port 25. However, our users requested that they wanted it on another port due to ISP port 25 blocking. Thus I forgot it. > > I've just set this up here, but it would still be interesting to also see > > your config files. > > I hope I won't forget anything: > > # cat /service/qpsmtpd-smtps/run > #!/bin/sh > echo $$ > /var/run/qpsmtpd-smtps.pid > > QMAILDUID=`id -u qpsmtpd` > NOFILESGID=`id -g qpsmtpd` > MAXCLIENTS=`cat /var/qmail/control/concurrencyincoming` > SMTPSCONF=/etc/stunnel/smtps.conf > > if [ ! -f /var/qmail/control/rcpthosts ]; then > echo "No /var/qmail/control/rcpthosts!" > echo "Refusing to start SMTP listener because it'll create an open relay" > exit 1 > fi > > cd /usr/local/qpsmtpd > exec /usr/local/bin/softlimit -m 25000000 \ > /usr/local/bin/tcpserver -c $MAXCLIENTS -v -R -p -x > /etc/tcpserver/smtp.rules.cdb \ > -u $QMAILDUID -g $NOFILESGID `head -1 config/IP` smtps \ > stunnel $SMTPSCONF ./qpsmtpd 2>&1 I take it that ./qpsmtpd is just a left over from the previous run setup? Or does that do something? > =====8<===== > > # cat /etc/stunnel/smtps.conf > # /etc/stunnel/smtps.conf > client = no > foreground = yes > cert = /etc/ssl/certs/smtps.pem > exec = pperl > execargs = pperl -Tw --no-cleanup /usr/local/qpsmtpd/qpsmtpd I hadn't thought of using pperl on these connections. Maybe if they get some real use I will. Although I'm still testing pperl on port 25. That's another load of qpsmtpd instances hanging around though. These relays need more RAM :( > the only problem I have is the error message in qpsmtpd-smtps' log: > LOG3[13075:1076599168]: SSL_read (ERROR_SYSCALL): Connection reset by peer (104) > it appears after accepting the message from MUA and has no effect on message > delivery. It is also present in our qmail+stunnel setup, but ATM I don't > know how to get rid of that. I've tried setting stunnel into daemon mode > (you know, with accept=465, connect=25 and stuff), but beside message is still > in the log, this method has BIG disadvantage - the connection on the server side > (when stunnel is connecting to smtp) is done from 127.0.0.1, so there's > issue with open relay. Yeah, that is a problem I didn't want to tackle. Even though running extra qpsmtpd instances just for the other ports seemed to be overkill, it seems the easiest way. I haven't seen that error although we have only had a handful of these connections so far. Maybe something to do with the stunnel build, here's mine: $ stunnel -version stunnel 4.05 on i386-portbld-freebsd4.10 PTHREAD+LIBWRAP with OpenSSL 0.9.7d 17 Mar 2004 Global options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /usr/local/etc/stunnel/stunnel.pem pid = /var/tmp/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTidle = 43200 seconds > What's your setup? ;) We have a need for both smtp over ssl and smtp with tls to support different clients. I decided to run these on ports 465 and 587 respectively. I made a quick mod so that my authldap plugin is only used on these encrypted ports and not at all on port 25. ----- $ cat /service/smtp-ssl/run #!/bin/sh LISTENADDR=0 LISTENPORT=smtps exec 2>&1 exec env - PATH=$PATH:/usr/local/sbin:/usr/local/bin:/var/qmail/bin LANG=C /usr/local/bin/softlimit -m 25000000 \ /usr/local/bin/envuidgid smtpd \ /usr/local/bin/tcpserver -DRUvXl0 -c 16 -b 128 -x /etc/tcp.smtps.cdb $LISTENADDR $LISTENPORT \ /usr/local/bin/softlimit -t 120 \ /usr/local/sbin/stunnel /usr/local/etc/stunnel/smtps.conf $ cat /usr/local/etc/stunnel/smtps.conf cert = /usr/local/etc/stunnel/star.salford.ac.uk.pem exec = /var/qmail/qpsmtpd/qpsmtpd/qpsmtpd.ssl execargs = /var/qmail/qpsmtpd/qpsmtpd/qpsmtpd.ssl TIMEOUTidle = 120 foreground = yes $ cat /var/qmail/qpsmtpd/qpsmtpd/qpsmtpd.ssl #!/bin/sh # # start qpsmtpd for stunnel # cd /var/qmail/qpsmtpd/qpsmtpd #exec /usr/local/bin/setuidgid smtpd /var/qmail/qpsmtpd/qpsmtpd/qpsmtpd exec ./qpsmtpd $ cat /service/starttls/run #!/bin/sh LISTENADDR=0 LISTENPORT=587 exec 2>&1 exec env - PATH=$PATH:/usr/local/sbin:/usr/local/bin:/var/qmail/bin LANG=C /usr/local/bin/softlimit -m 25000000 \ /usr/local/bin/envuidgid smtpd \ /usr/local/bin/tcpserver -DRUvXl0 -c 16 -b 128 -x /etc/tcp.smtps.cdb $LISTENADDR $LISTENPORT \ /usr/local/bin/dropconn \ /usr/local/bin/softlimit -t 120 \ /usr/local/sbin/stunnel /usr/local/etc/stunnel/starttls.conf $ cat /usr/local/etc/stunnel/starttls.conf cert = /usr/local/etc/stunnel/star.salford.ac.uk.pem exec = /var/qmail/qpsmtpd/qpsmtpd/qpsmtpd.ssl execargs = /var/qmail/qpsmtpd/qpsmtpd/qpsmtpd.ssl protocol = smtp TIMEOUTidle = 120 foreground = yes ----- Cheers. -- Mark Powell - UNIX System Administrator - The University of Salford Information Services Division, Clifford Whitworth Building, Salford University, Manchester, M5 4WT, UK. Tel: +44 161 295 4837 Fax: +44 161 295 5888 www.pgp.com for PGP key
