Stunnel + qmail-smtpd
Hi, I have been trying to use stunnel with qmail-smtp but I don't get it to work, maybe someone have some suggestions how to do or where to find information about using stunnel with smtpd.. I have been trying this in some desperate moments to get it to work(and some other things) :=) : #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /usr/local/sbin/stunnel -p /etc/pem/smtp.pem -l /var/qmail/bin/qmail-smtpd 21 But this is not working for sure.
Re: stunnel/POP3 hanging ??
mmmhhh, looks like a wrong startup script! Here is my invocation of stunnel: #!/bin/sh exec /usr/local/bin/softlimit -m 300 \ /usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \ /usr/local/sbin/stunnel -p /etc/stunnel.pem \ -l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \ /bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d Maildir 21 Try something like: [snip] /usr/local/sbin/stunnel -p /etc/stunnel.pem -N spop3 -f -l /var/qmail/bin/qmail-popup -- qmail-popup [snip] Hope it helps. --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 0744 5441330 Fax. +39 0744 5441372
Re: stunnel/POP3 hanging ??
On Mon, Jul 30, 2001 at 10:16:44AM +0200, Andrea Cerrito wrote: mmmhhh, looks like a wrong startup script! Here is my invocation of stunnel: #!/bin/sh exec /usr/local/bin/softlimit -m 300 \ /usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \ /usr/local/sbin/stunnel -p /etc/stunnel.pem \ -l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \ /bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d Maildir 21 Try something like: [snip] /usr/local/sbin/stunnel -p /etc/stunnel.pem -N spop3 -f -l /var/qmail/bin/qmail-popup -- qmail-popup [snip] No. Running stunnel not as daemon but under tcpserver is a good idea. Maex posted a good example script a few days ago. -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: stunnel/POP3 hanging ??
Probably a misunderstood. Try something like: [snip] /usr/local/sbin/stunnel -p /etc/stunnel.pem -N spop3 -f -l /var/qmail/bin/qmail-popup -- qmail-popup [snip] No. Running stunnel not as daemon but under tcpserver is a good idea. Maex posted a good example script a few days ago. The first [snip] was the tcpserver command, the second one was the qmail-command. I just said that stunnel was bad invoked, infact I add the -N (servicename) and the -f switch. This is my run script under tcpserver, uptime 83days with no problems. exec /usr/bin/env - PATH=/var/qmail/bin:$PATH \ /usr/local/bin/tcpserver -v -c 50 -H -P -R -l hostname ip port \ /usr/local/stunnel/sbin/stunnel -p /var/qmail/control/spop3.pem \ -N spop3 -f -l /var/qmail/bin/qmail-popup /var/qmail/bin/qmail-popup \ hostname /usr/local/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 21 Just to be clear :) --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 0744 5441330 Fax. +39 0744 5441372
Re: Stunnel + qmail-smtpd
Per-fredrik Pollnow (EPK) [EMAIL PROTECTED] wrote: I have been trying this in some desperate moments to get it to work(and some other things) :=) : #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /usr/local/sbin/stunnel -p /etc/pem/smtp.pem -l /var/qmail/bin/qmail-smtpd 21 Try something like: #!/bin/sh exec /usr/local/sbin/stunnel -f -p /usr/local/etc/stunnel.pem -d 465 \ -r 25 21 It proxies the existing SMTP service, so you automatically get softlimit, a connection limit, and the qmail-smtpd processes running with the right UID/GID. The only problem is that it'll make connections look like they came from the local host, so selective relaying, et al, won't work. -Dave
[ot] on trust of SSL-certificates (was: stunnel and qmail-threads)
Is there anyone using verisign or other trusted CA-signed certificates for your stunnel-connections (pop3, smtp et al)? What I really want to know is of course if you find it in any way meaningful to use ssl-encryption without being able to trust the certificates? Crypto is fine, but with these nice man-in-the-middle-attack tools that exists today it may just give a false sense of security. What's your opinion? Or don't we want to discuss serious things on this list? /magnus
Re: [ot] on trust of SSL-certificates (was: stunnel and qmail-threads)
On Mon, Jul 30, 2001 at 03:35:47PM +0200, Magnus Bodin wrote: What's your opinion? Do I trust Verisign/Thawte? Surely not. The whole SSL signing infrastructure is just a big money machine. The task of signing keys for apps like https and smtp/pop3/imap ove SSL is sooo easy and really really easy to automate through a mailrobot, it's a shame that someone wants more than 1$ a year for that. A kind of OpenCA would be nice, though worthless for most users as long as M$ and Netscape/AOL don't include the certificate in their browsers, and we should be sure Veridign co pay a _lot_ for that. -- * Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de * * Roedingsmarkt 14, 20459 Hamburg, Germany * Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
stunnel/POP3 hanging ??
Hi all, I've been running a very stable RedHat installation with qmail for some time now. Recently I've tried to install the stunnel wrapper on POP3. I believe I've done everything as I should but clients cannot successfully retrieve e-mail. It appears that something is hanging during the process. The client program (Eudora) appears to be stuck trying to get e-mail. On the server side I have the following in the log: Jul 28 16:39:13 ikauni stunnel[5270]: Using 'qmail-popup' as tcpwrapper service name Jul 28 16:39:13 ikauni stunnel[5270]: stunnel 3.16 on i686-pc-linux-gnu PTHREAD+LIBWRAP Jul 28 16:39:13 ikauni stunnel[5270]: qmail-popup connected from 192.168.1.3:1307 Jul 28 16:40:16 ikauni stunnel[5270]: SSL_accept: Peer suddenly disconnected The last line occurs when I force the client to stop trying. Here is my invocation of stunnel: #!/bin/sh exec /usr/local/bin/softlimit -m 300 \ /usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \ /usr/local/sbin/stunnel -p /etc/stunnel.pem \ -l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \ /bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d Maildir 21 I wonder if anyone has run into this situation? I wish I could provide more information about what is going on. I guess they are ways to trace this but I don't know how to do it. Thanks for any ideas. Dave -- David Vrona - N9QNZ (Siesta Key, Florida) PGP Key Fingerprint 42CA F54A A514 7DF7 2032 3F7F 91EB 89CD 1DE8 E856 Join our SETI@home amateur radio team at www.wuies.com
Re: stunnel/POP3 hanging ??
Hi David, i had a very similar problem with stunnel and POP3 on my mail server. I installed and run stunnel pretty much the same way you did and tried to retrieve mail with Eudora 5.1 which failed (unfortunately you didn't mention your Eudora error message so I can't tell if it's the same one). When I tried to connect with Outlook Express everything works just fine. I guess this might be a problem in the SSL implementation in Eudora but I'm not to sure about that. I've tried to find more information on SSL on the Qualcomm pages but they don't provide anything there. Sorry that I can not help you but let me know if find out anything about this issue. Regards, Lordy At 16:15 28.07.2001 -0400, you wrote: Hi all, I've been running a very stable RedHat installation with qmail for some time now. Recently I've tried to install the stunnel wrapper on POP3. I believe I've done everything as I should but clients cannot successfully retrieve e-mail. It appears that something is hanging during the process. The client program (Eudora) appears to be stuck trying to get e-mail. On the server side I have the following in the log: Jul 28 16:39:13 ikauni stunnel[5270]: Using 'qmail-popup' as tcpwrapper service name Jul 28 16:39:13 ikauni stunnel[5270]: stunnel 3.16 on i686-pc-linux-gnu PTHREAD+LIBWRAP Jul 28 16:39:13 ikauni stunnel[5270]: qmail-popup connected from 192.168.1.3:1307 Jul 28 16:40:16 ikauni stunnel[5270]: SSL_accept: Peer suddenly disconnected The last line occurs when I force the client to stop trying. Here is my invocation of stunnel: #!/bin/sh exec /usr/local/bin/softlimit -m 300 \ /usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \ /usr/local/sbin/stunnel -p /etc/stunnel.pem \ -l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \ /bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d Maildir 21 I wonder if anyone has run into this situation? I wish I could provide more information about what is going on. I guess they are ways to trace this but I don't know how to do it. Thanks for any ideas. Dave -- David Vrona - N9QNZ (Siesta Key, Florida) PGP Key Fingerprint 42CA F54A A514 7DF7 2032 3F7F 91EB 89CD 1DE8 E856 Join our SETI@home amateur radio team at www.wuies.com
Re: stunnel
This is my run script. exec /usr/bin/env - PATH=/var/qmail/bin:$PATH \ /usr/local/bin/tcpserver -v -c 50 -H -P -R -l hostname ip port \ /usr/local/stunnel/sbin/stunnel -p /var/qmail/control/spop3.pem -N spop3 \ -f -l /var/qmail/bin/qmail-popup /var/qmail/bin/qmail-popup hostname \ /usr/local/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 21 -p pemfile -N wrapper name (spop3 = secure pop3) -f don't fork -l command to run Working perfectly. The only problem I encountered was solved by using a double qmail-popup after -l switch ('-l /var/qmail/bin/qmail-popup /var/qmail/bin/qmail-popup'). Don't remember why, but I think stunnel can't work with either pop3 or smtp as a redirector. Hope it helps. --- Cordiali saluti / Best regards Andrea Cerrito ^^ Net.Admin @ Centro MultiMediale di Terni S.p.A. P.zzale Bosco 3A 05100 Terni IT Tel. +39 0744 5441330 Fax. +39 0744 5441372
stunnel
Hi, I was wondering if there is anyone(probebly someone) who is using stunnel for the qmail-pop3d server. I get this error message on the server all the time when I tray to connect to my pop3d on port 995 with my SSL client. I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 And this is the screenshot from the foreground mode: 2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as tcpwrapper service name 2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 PTHREAD+LIBWRAP 2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 136.225.42.196:4497 2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2) 2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected 2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4) 2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket I'm using qmail on OpenBSD2.9.. Anyone who knows what's wrong?
stunnel
Hi, I was wondering if there is anyone(probebly someone) who is using stunnel for the qmail-pop3d server. I get this error message on the server all the time when I tray to connect to my pop3d on port 995 with my SSL client. I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 And this is the screenshot from the foreground mode: 2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as tcpwrapper service name 2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 PTHREAD+LIBWRAP 2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 136.225.42.196:4497 2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2) 2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected 2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4) 2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket I'm using qmail on OpenBSD2.9.. Anyone who knows what's wrong?
Re: stunnel
On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) wrote: I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 [ ... ] Anyone who knows what's wrong? We do it that way: exec /usr/local/bin/tcpserver -R -v -c 50 \ -l popmail.space.net\ 195.30.0.14 pop3s \ /usr/local/sbin/stunnel \ -p /usr/local/services/apache-webmail/conf/ssl/space.pem \ -l /var/qmail/bin/qmail-popup -- qmail-popup\ popmail.space.net \ /var/qmail/contrib/checkpassword\ /var/qmail/bin/qmail-pop3d Maildir 21 \ | /var/qmail/bin/splogger qmail-pop3d-ssl 17 Works without problems ... \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Re: stunnel
On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) wrote: Hi, I was wondering if there is anyone(probebly someone) who is using stunnel for the qmail-pop3d server. I get this error message on the server all the time when I tray to connect to my pop3d on port 995 with my SSL client. I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 You should not pass the parameters like that with the -l parameter. From the top of my head (can be wrong) /usr/local/bin/tcpserver 0 995 /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-popup -- qmail-popup pop.example.com /bin/checkpassword '~' /var/qmail/bin/qmail-pop3d Maildir /magnus (lycka till) -- Unfortunately, those people who have nothing better to do than post on the Internet all day long are rarely the ones who have the most insights. - Jakob Nielsen, August 1997
Re: stunnel
On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) allegedly wrote: Hi, I was wondering if there is anyone(probebly someone) who is using stunnel for the qmail-pop3d server. I get this error message on the server all the time when I tray to connect to my pop3d on port 995 with my SSL client. I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 And this is the screenshot from the foreground mode: 2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as tcpwrapper service name 2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 PTHREAD+LIBWRAP 2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 136.225.42.196:4497 2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2) 2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected 2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4) 2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket I'm using qmail on OpenBSD2.9.. Anyone who knows what's wrong? Yes. You need to read the stunnel documentation more closely. Especially look at the examples in the stunnel man page and note how the command and arguments after -l are constructed. Also note how they have to be the last arguments on the command line. qmail-pop3d works just fine with stunnel - if you get the stunnel invocation right. Regards.
Re: stunnel
On Thu, Jul 26, 2001 at 03:37:41PM +0200, Per-fredrik Pollnow (EPK) wrote: Hi, I was wondering if there is anyone(probebly someone) who is using stunnel for the qmail-pop3d server. I get this error message on the server all the time when I tray to connect to my pop3d on port 995 with my SSL client. I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 And this is the screenshot from the foreground mode: 2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as tcpwrapper service name 2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 PTHREAD+LIBWRAP 2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 136.225.42.196:4497 2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2) 2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected 2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4) 2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket I'm using qmail on OpenBSD2.9.. Anyone who knows what's wrong? IIRC, stunnel just wraps an existing daemon, no? Take the example 'run' script from LWQ for pop3 service, and add the stunnel commands, so that the old 'run' script is passed to stunnel as the '-l' argument. -- Greg White
Re: stunnel
On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) wrote: Hi, I was wondering if there is anyone(probebly someone) who is using stunnel for the qmail-pop3d server. I get this error message on the server all the time when I tray to connect to my pop3d on port 995 with my SSL client. I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995 Stunnel is interpreting the arg to -l as a single filename, rather than parsing it into seperate arguments. I believe you want to use something like this (untested): /usr/local/sbin/stunnel -p /etc/stunnel.pem -f -d 955 \ -l /var/qmail/bin/qmail-pop3d -- qmail-pop3d Maildir 21 Of course, you could also just use stunnel as a redirector as in: /usr/local/sbin/stunnel -f -D 4 -p /etc/stunnel.pem -d 995 -r 110 This will simply decrypt and the pass the connection's data over to your standard pop3 program that runs under tcpserver/inetd/etc. Clay PGP signature
Re:tcpserver stunnel
Hi, here some command need to run after install openssl and stunnel. It's provided by my friend Wu Hui, who is a CA fan. Hope it's useful to you. :) -HuangChun 1.generate the digital certificate: private key is stored into file "test1key.pem"£¬ the content of certificate is stored into file "test1req.pem" #cd /usr/local/ssl #./bin/openssl req -new -keyout test1key.pem -out test1req.pem 2.Issue the digital certificate: #cd /usr/local/ssl # ./bin/openssl ca -policy policy_anything -infiles test1req.pem 3.save the certificate got from step 2 into the directory used by stunnel 4.check the content of certificate£º #cd the directory of step 4 # /usr/local/ssl/bin/openssl x509 -in 03.pem -text 5.get the password of private key #cd /usr/local/ssl #./bin/openssl rsa -in test1key.pem -out testkey.pem 6.modify the password of private key #cd /usr/local/ssl #./bin/openssl rsa -in test1key.pem -out testkey.pem -des3 7.start pop3d with stunnel: #stunnel -d pop3s -p /usr/local/ssl/certs/stunnel.pem -l /var/qmail/bin/qmail-popup ... -l is followed by the command used in inetd.conf for pop3d daemon. Does anyone have a working tcpserver w/stunnel configuration they'd like to share? From the list archives I gather a patch is in order however the last posts on the topic are from '98 and that code appears to be out-dated. I'm using stunnel 3.4a from the Debian packages (potato). I'm specifically interested in enabling SSL pop3, but seeing any configs for SSL smtp wouldn't be uninteresting either. TIA -- Jamie Heilman http://wcug.wwu.edu/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly _ һ·ÉÏÓÐÄ㣬¿àÒ»µãÒ²Ô¸Ò⣡ --ΪÄãϲ°®ÓëÖ§³ÖµÄ263Ê׶¼ÔÚÏߣ¨http://www.263.net£©Í¶Ò»Æ±£¡ ÎÒҪͶƱ£¡£¨http://fsurvey.cnnic.net.cn/survey/index.html£©
Re: tcpserver stunnel
Bradey Honsinger wrote: I'm not currently blocking normal POP3 connections, but as I understand it you use tcpserver to only accept pop3 traffic from localhost (which limits it to accepting connections forwarded from the s-pop3 port to the pop3 port using stunnel), in much the same way you configure qmail-smtpd to only relay mail from specific IPs. Yeah, I think this is what I'll end up doing too. I have a test setup with it and it works pretty well. The only downside to this that I can see is that using stunnel in daemon mode I don't get concurrency limits or any of the other tcpserver benefits for the initial ssl connections. I could run stunnel out of xinetd I suppose but then I wouldn't get the ssl caching hoo-ha that stunnel can do. So what's the general thought on just adding TLS/SSL support to tcpserver, is that outside of the ucspi-tcp model, better left up to a separate program, or something that would be nice but just hasn't been done yet? -- Jamie Heilman http://wcug.wwu.edu/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only direction, and time is its only measure." -Rosencrantz
RE: tcpserver stunnel
jamie sez: snip The only downside to this that I can see is that using stunnel in daemon mode I don't get concurrency limits or any of the other tcpserver benefits for the initial ssl connections. I could run stunnel out of xinetd I suppose but then I wouldn't get the ssl caching hoo-ha that stunnel can do. I poked around a bit, and there's a (much) earlier thread on this list about running stunnel under tcpserver--apparently the reason stunnel and tcpserver don't (didn't?) get along is that stunnel wants to be argv[0]. There's a patch for stunnel (from 1998, so it probably needs to be modified for the current version). There's also an argv0 program that comes with ucspi-tcp that also looks like it would solve the problem. Finally, there are a few sample startup scripts that imply that that's not really a problem anymore, and stunnel and tcpserver coexist fine. From searching the archive at http://www-archive.ornl.gov:8000/ for "tcpserver stunnel": A message describing the problem, which sounds like what I saw, is at: http://www.ornl.gov/its/archives/mailing-lists/qmail/1998/09/msg00723.html The message with the (old) patch: http://www.ornl.gov/its/archives/mailing-lists/qmail/1998/09/msg00743.html A very informative message from this May, with a cool stunnel startup script, implying that stunnel will indeed run under tcpserver: http://www.ornl.gov/its/archives/mailing-lists/qmail/2000/05/msg01621.html That last message also implies that qmail-smtpd will run under stunnel without modification. I'll try these things out when I get a chance, and report back to y'all. So what's the general thought on just adding TLS/SSL support to tcpserver, is that outside of the ucspi-tcp model, better left up to a separate program, or something that would be nice but just hasn't been done yet? I'd guess that DJB feels it's better left up to a separate program, but I'm sure there are others more qualified to give an opinion--anyone? - Bradey
tcpserver stunnel
Does anyone have a working tcpserver w/stunnel configuration they'd like to share? From the list archives I gather a patch is in order however the last posts on the topic are from '98 and that code appears to be out-dated. I'm using stunnel 3.4a from the Debian packages (potato). I'm specifically interested in enabling SSL pop3, but seeing any configs for SSL smtp wouldn't be uninteresting either. TIA -- Jamie Heilman http://wcug.wwu.edu/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
qmail-smtpd and stunnel
Hi! I'm using stunnel (with -n smtp) to do smtp-over-ssl (or TLS). However, there is one problem: I can't get the Recieved: line to show the host that originally connected - at least not with stunnel in port forwarding mode. Maybe I should run qmail-smtpd from stunnel's command line, with tcpserver (wich i like) running stunnel (and thus setting the ENV correctly)? Yeah, I'll try that. Okay, I kinda answered my own question... Any hints/tips/pointers before i start (BTW: same problem with apache...) -Johan -- Johan Almqvist
OT Answer: imap + ssl -- stunnel is the answer
Julien, If you are using stunnel try the stunnel users list http://www.onsight.com/faq/stunnel/stunnel-faq-9.html But one quick thing you can do is stunnel -D 7 -f -d 993 -r localhost:143 (for IMAP). The ``-D 7'' puts stunnel into debug mode and the ``-f'' keeps it in foreground mode, so it will log directly to your current terminal. Stunnel has very good error messages. Check several things. Permissions on the certificate. That there's a daemon listening on 127.0.0.1:143 (localhost:143) Best of luck, -Martin On Thu, 25 May 2000, Christian Wiese wrote: :Hi Julien, : :I would suggest that the problem is not at the qmail-imap site, but :rather on the client (Outlook) site. :I don't know much about Outlook and I don't like it, but I think Outlook :can't handle SSL connections. :Please try to find some informations about Outlook and it's :possibilities regarding SSL connections to IMAP servers. : :greetings : :christian : :Julien Marguet schrieb: : : Hi all : I try to install ssl on a mail-server that I just have : installed for an hospital : : I use qmail 1.03, and imap (courier-imap 0.32 from : inter7.com). : : I use this link to install ssl: : http://security.fi.infn.it/tools/stunnel/index-en.html : but it doesn't work. : : when I use the script imap.rc from courier-imap the : connection with an (Outlook) client= OK. (without ssl) : : when I use the script imap-ssl.rc from courier-imap there : is no connection with the client : it say no server : securise. : : ssl doesn't work. : What files do I see or change ? : : : : ___ : Vendez tout... aux enchères - http://www.caraplazza.com : : -- Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED]
OT: SSL wrapper scripts, stunnel and description
Hello all, I have seen some questions over the last week about adding SSL (secure sockets layer) support to standard plaintext services. This is something for which the package stunnel is perfect. If you are interested in offering SSL services for your currently plaintext daemons, you can use stunnel independently of the plaintext service to provide SSL service. For further information on the package, check out the stunnel page: http://mike.daewoo.com.pl/computer/stunnel/ The beauty of stunnel (IMHO) is that you can run it in client or server mode, and it can listen on one IP and forward to another (local or remote). (You can also listen on INADDR_ANY, or INADDR_LOOPBACKD.) I hope the die-hard list readers will forgive that I have attached two scripts I wrote to work as a drop in service startup script for as many wrappers as you'd like. My script assumes that you are running tcpserver, and (unfortunately) assumes the old-style supervise (daemontools 0.53). (If we ever migrate to the newer model, I'll rewrite these scripts a bit.) One last kicker, and that is that stunnel can run in "transparent proxying" mode which allows you to use it for SMTPS (port 465) without changing your tcprules for your SMTP service. All you need is to have transparent proxying support in your kernel. One could certainly run stunnel in ``-d'' mode without tcpserver, but I'm so accustomed to runinng things under tcpserver (I like the process model) that I have included it in the script. I hope it proves useful to somebody besides me, -Martin -- Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED] #!/bin/sh # # stunnel starts/stops stunnel # # chkconfig: 345 72 38 # # -- generic stunnel startup script #+ WRAPNAME = key for tcp_wrapper lookup in /etc/hosts.allow file #+ LISTENIP = INADDR_ANY by default or user-specified #+ TARGETIP = INADDR_LOOPBACK by default or user-specified #+ LISTENPORT = yep. the port we are listening for connections on #+ TARGETPORT = boy, these names almost make sense #+ SWITCH = leave empty for server mode, make "-c" for client mode #+ RULES = tcprules.cdb file to call from tcpserver #+ PEMFILE= another very important, obviously named variable # # -- I'd like to compile a version of stunnel which doesn't do the #tcp_wrappers in the /etc/hosts.allow file--because having tcpserver #and stunnel doing IP checking doesn't make a whole lot of sense to me # ## -- die and complain if we don't /at least/ get these two TARGETPORT=${TARGETPORT:?} LISTENPORT=${LISTENPORT:?} ## -- define all of the variables first SUPERVISEDIR=/var/lock/svc LISTENIP=${LISTENIP:=0.0.0.0} TARGETIP=${TARGETIP:=127.0.0.1} WRAPNAME=${WRAPNAME:=stunnel} PEMFILE=${PEMFILE:=/var/openssl/certs/trusted/stunnel.pem} ## set the service name for supervise SERVICE=stunnel${LISTENPORT} # See how we were called case "$1" in start) mkdir -p ${SUPERVISEDIR}/${SERVICE} echo -n "Starting stunnel on ${LISTENIP}:${LISTENPORT}: " env - supervise ${SUPERVISEDIR}/${SERVICE} \ tcpserver -RH -c 40 \ ${LISTENIP} ${LISTENPORT} \ /usr/sbin/stunnel ${WRAPNAME} ${SWITCH} -f \ -r ${TARGETIP}:${TARGETPORT} \ -p ${PEMFILE} echo done ;; stop) echo -n "Shutting down stunnel on ${LISTENIP}:${LISTENPORT}" svc -dx ${SUPERVISEDIR}/${SERVICE} echo ;; status) echo -n "stunnel on port ${LISTENIP}:${LISTENPORT}" svstat ${SUPERVISEDIR}/${SERVICE} | tailocal ;; restart) "$0" stop sleep 1 "$0" start exit 0 ;; *) echo "Usage: stunnel {start|stop|status|restart}" exit 1 esac #!/bin/bash # # # -- the first service...define what you need and call the script #which sets some defaults # # DON'T GET BITTEN BY THE PATH PROBLEM IN THIS SCRIPT # CHANGE IT TO YOUR NEED FOR YOUR SYSTEM. :-) # # -- now just redefine and call the startup script again # # LISTENIP=127.0.0.1 TARGETIP=remote.mailserver LISTENPORT=143 TARGETPORT=993 SWITCH="-c" . ./stunnel-startup LISTENIP=my.ethernet.interface TARGETIP=127.0.0.1 LISTENPORT=465 TARGETPORT=25 #. ./stunnel-startup
stunnel + qmail + vpopmail
Hello All, I was wondering if there is any need for something like stunnel when used in conjunction with qmail + vpopmail for secure transmission of usernames and passwords for pop3d based stuff...or does it encrypt on it's own (not that I see from initial install) -Bill