Hey everyone,

 

            Below are the steps I figured out, ran multiple times, and haven’t had a single issue out of. These steps allow you to use stunnel. The only downfall to using stunnel connections is that in your logs, all connections using the secure ports have a src address of 127.0.0.1. So here they are:

 

Prerequisites

1)      stunnel

2)      openssl

3)      web server

4)      email server

 

Generating a Self-Signed Certificate with a Client Key

1)      cd /etc/httpd/conf

2)      make stunnel.pem

3)      Follow on screen instructions

4)      mkdir –p /usr/local/etc/stunnel

5)      mv stunnel.pem /usr/local/etc/stunnel

6)      cd /usr/local/etc/stunnel

7)      openssl x509 –in stunnel.pem –outform DER –out qmail.der

8)      cp qmail.der /var/ww/html

9)      See page  for client certificate installation

 

Writing the Stunnel Script

1)      cd /usr/local/etc/stunnel/

2)      vi stunnel.conf

3)      Create the below script:

cert = /usr/local/etc/stunnel/stunnel.pem

chroot = /usr/local/var/run/stunnel/

pid = /stunnel.pid

 

setuid = nobody

setgid = nobody

 

#foreground = yes

#debug = 7

output = /usr//local/etc/stunnel/stunnel.log

#output = /dev/stdout

 

[smtps]

accept = 9925

connect = 25

 

[pop3s]

accept = 9955

connect = 110

 

[imaps]

accept = 9933

connect = 143

4)      vi /etc/rc.local

5)      Insert the following lines

#Run the stunnel script for secure Qmail connections (smtps, pop3s, imaps)

/usr/sbin/stunnel /usr/local/etc/stunnel/stunnel.conf

6)      Reboot Server

 

Installing the Self-Signed Client Key

1)      In Internet Explorer, go to https://email.wtechgroup.com/qmail.der

2)      Once the dialog box pops up, click Open.

3)      Then click Install Certificate

4)      Place the certificate in the Trusted Root Certification Authorities store

5)      Click OK

6)      Accept the Security Warning by clicking Yes

7)      Setup the necessary account and ports in Outlook.

8)      Restart Outlook

 

 

Ryan Starrett

Senior Support Tech.

Walser Technology Group, Inc.

 


From: Aaron Gray [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 12, 2006 7:25 PM
To: [email protected]
Subject: Re: [toaster] Problem w/ POP3 over SSL/TLS

 

Good good call..
stunnel-4.05-3

I re-read the toaster and noticed some "notes" about v4.
made the updates.

fixed!

No client certificate CA names sent
---
SSL handshake has read 1110 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 79C81FD115872056294B88B819FE729E8B141931DE6F2438BD7C05A59AD7E4A6
    Session-ID-ctx:
    Master-Key: 94089DA329B84B1E731B0980AB467B8E8915264B001DD701FAD6B6296B57B8E4CA7EB687D23CF8693EC4036014518D14
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1144884223
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
+OK <[EMAIL PROTECTED]>

On 4/12/06, Rick Macdougall <[EMAIL PROTECTED]> wrote:

Aaron Gray wrote:
> Following shupp.org <http://shupp.org> Toaster I am able to successfully
> do IMAP and SMTP over SSL/TLS, but I cannot connect via POP
>
> Here's some 411
>
> RedHat Enterprise Linux 4 AS
> Just installed the toaster from scratch, so its current to his 0.8.7
>
> Thoughts??
> I just notice multiple openssl vers it seems there.. Hrmm... ?

Version of stunnel you are using ?  I believe the toaster is setup for
3.x and Rehat has 4.x installed.

Regards,

Rick

 

Reply via email to