ASSP SSL support on port 465 using stunnel (#03) ( updated 11 Mar 2011 , compatible with all ASSP versions)
Be sure your all your ASSP alternative ports (listePort2) are allowed on your firewall (TCP IN/OUT). Using below "how to" you can use SMTP SSL/TLS to send email securely using port 465. If you want secure imap receiving , you should use port 143 with STARTTLS If you want secure pop3 receiving , you should use port 110 with STARTTLS Thanks to Szymon Rybczynski (pro-net-hosting.com<http://pro-net-hosting.com> and prohost.pl) HOW TO All lines starting with # are commands to execute as root. 1. You need stunnel installed. Cpanel should have stunnel installed. To check: # stunnel -version If you get something like "stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003" you can continue. 2. You can make your own certificate for SSL or use cPanel cert. This howto shows how to use cPpanel cert. To make your own cert just search google for instruction and change cert path in stunnel.conf to your cert. 3. Setting up stunnel user and config file: # adduser stunnel;passwd stunnel Set password for user stunnel # cd /etc/stunnel;nano -w stunnel.conf copy and paste this: cert = /etc/stunnel/cpanel.pem chroot = /usr/local/cpanel/var/run/stunnel-assp/ pid = /stunnel.pid setuid = stunnel setgid = stunnel output = /var/log/stunnel.log [ssmtp] accept = 465 connect = 127.0.0.2:26 note : you should replace 26 with your preferred alternative port you have setup in listenPort2 , by default you will find port 26 Save the file. 4. Copy cPanel cert. If you have set correctly your own certificate for your cpanel/exim services in WHM > Service Configuration >> Manage Service SSL Certificates execute this # cp /var/cpanel/ssl/cpanel/mycpanel.pem /etc/stunnel/cpanel.pem otherwise execute this # cp /var/cpanel/ssl/cpanel/cpanel.pem /etc/stunnel/cpanel.pem Note : if /usr/local/cpanel/etc/cpanel.pem or (mycpanel.pem) does not exists you can find the cpanel certificate also here /var/cpanel/ssl/cpanel/cpanel.pem , in this case execute this # cp /usr/local/cpanel/etc/cpanel.pem /etc/stunnel/ Now execute this # cd /etc/stunnel/;chown stunnel.stunnel cpanel.pem 5. Create run dir. # cd /usr/local/cpanel/var/run/;mkdir stunnel-assp;chown stunnel.stunnel stunnel-assp 6. Setup 127.0.0.2 - if you don't do this you will create open relay on SSL port. # cp /etc/sysconfig/network-scripts/ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo:1; # nano -w /etc/sysconfig/network-scripts/ifcfg-lo:1 Change it to look like this: DEVICE=lo:1 IPADDR=127.0.0.2 NETMASK=255.0.0.0 NETWORK=127.0.0.0 BROADCAST=127.255.255.255 ONBOOT=yes NAME=myloop Save. 7. Now bring lo:1 up. # /etc/sysconfig/network-scripts/ifup-aliases lo # ifconfig It should now list 127.0.0.2 8. Login to ASSP web interface (ip:55555) and change: Network Setup: ------------ Second SMTP Listen Port 26 ------------ Second SMTP Destination 127.0.0.1:125 ------------ Force SMTP AUTH on Second SMTP Listen Port Checked ------------ Relaying: ------------ Accept All Mail 127.0.0.1 If you make a mistake here you can make your mail server open relay so double check the settings. 8. Open TCP IN/OUT port 465 on your firewall. 9. Now you are ready to start stunnel. Execute: # stunnel /etc/stunnel/stunnel.conf At this moment your SSL connection should work. Test it: # openssl s_client -quiet -connect localhost:465 If you get error then something is wrong and you need to check /var/log/stunnel.log If you get something like: "depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net verify return:1 220-pol.nameserverus2.com<http://220-pol.nameserverus2.com> ESMTP Exim 4.63 #1 Mon, 23 Jul 2007 15:42:14 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail." Everything is ok and ready to use. Note If you don't want see SSL popup when you send email using port 465 be sure that at point 4) you copied the mycpanel.pem certificate and your users must send email using as smtp the address of your shared ssl . If you change the .pem file , and you can't see the new certificate loaded correctly using # openssl s_client -quiet -connect localhost:465 execute this # service cpanel restart # /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/ex_localdomains.php now if you execute this # openssl s_client -quiet -connect localhost:465 you should see your server SSL certificate. 10. if you would monitor stunnel daemon in case it goes down you can add check_ssl=yes to your status.php cron in this way */2 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php check_ssl=yes If you are using an alternative port different from port 26 , i.e. 40000 , in this case you should add also altport=40000 */2 * * * * /usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/assp/deluxe/status.php check_ssl=yes altport=40000 -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Sep 28, 2011, at 9:58 PM, Paul Farrow wrote: played around with the settings in thunderbird now and getting this Sep-28-11 22:57:34 [Worker_1] Connected: 10.1.10.149:49970 > 70.88.29.81:465 > 70.88.29.81:34217 > 70.88.29.81:125 , 4-16 Sep-28-11 22:57:34 [Worker_1] 10.1.10.149 Message-Score: added 25 for EarlyTalker, total score for this message is now 25 Sep-28-11 22:57:34 [Worker_1] 10.1.10.149 [SMTP Error] 554 5.7.1 Misbehaved SMTP session (EarlyTalker) Sep-28-11 22:57:34 [Worker_1] Disconnected: 10.1.10.149 - command list was 'n/a' - used 1 SocketCalls any ideas? Thanks Paul On Wed, 28 Sep 2011 19:53:44 -0700, Jeremy McSpadden wrote: What's accepting the ssl connection? Are you using stunnel ? Or the SSL in ASSP? -- Jeremy McSpadden On Sep 28, 2011, at 9:51 PM, "Paul Farrow" <[email protected]<mailto:[email protected]>> wrote: not with you ?? Sorry On Wed, 28 Sep 2011 19:48:14 -0700, Jeremy McSpadden wrote: Using stunnel ? -- Jeremy McSpadden On Sep 28, 2011, at 9:46 PM, "Paul Farrow" <[email protected]<mailto:[email protected]>> wrote: Since upgrading to version 2, instead of an intermittent problem with Thunderbird I have a problem all the time. The logs say this Sep-28-11 22:40:00 [Worker_1] Connected: 10.1.10.149:49617 > 70.88.29.81:465 > 70.88.29.81:56683 > 70.88.29.81:125 , 4-16 Sep-28-11 22:40:00 [Worker_1] 10.1.10.149 info: removed '250-STARTTLS' from reply Sep-28-11 22:40:00 [Worker_1] Disconnected: 10.1.10.149 - command list was 'EHLO,QUIT' - used 2 SocketCalls and thunderbird says Thanks -- Paul ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Assp-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Assp-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Assp-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Assp-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
