Stunnel + qmail-smtpd

[Per-fredrik Pollnow (EPK)]

Hi,

I have been trying to use stunnel with qmail-smtp but I don't get it to work, maybe 
someone have some suggestions how to do or where to find information about using 
stunnel with smtpd.. 

I have been trying this in some desperate moments to get it to work(and some other 
things) :=) :

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 200 \
/usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c $MAXSMTPD \
 -u $QMAILDUID -g $NOFILESGID 0 smtp /usr/local/sbin/stunnel -p 
/etc/pem/smtp.pem -l /var/qmail/bin/qmail-smtpd 21

But this is not working for sure.

Re: stunnel/POP3 hanging ??

[Andrea Cerrito]

mmmhhh, looks like a wrong startup script!

 Here is my invocation of stunnel:

 #!/bin/sh
 exec /usr/local/bin/softlimit -m 300 \
 /usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \
 /usr/local/sbin/stunnel -p /etc/stunnel.pem \
 -l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \
 /bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d
 Maildir 21

Try something like:

[snip] /usr/local/sbin/stunnel -p /etc/stunnel.pem -N spop3 -f -l
/var/qmail/bin/qmail-popup -- qmail-popup [snip]

Hope it helps.
---
Cordiali saluti / Best regards
Andrea Cerrito
^^
Net.Admin @ Centro MultiMediale di Terni S.p.A.
P.zzale Bosco 3A
05100 Terni IT
Tel. +39 0744 5441330
Fax. +39 0744 5441372

Re: stunnel/POP3 hanging ??

[Henning Brauer]

On Mon, Jul 30, 2001 at 10:16:44AM +0200, Andrea Cerrito wrote:
 mmmhhh, looks like a wrong startup script!
 
  Here is my invocation of stunnel:
 
  #!/bin/sh
  exec /usr/local/bin/softlimit -m 300 \
  /usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \
  /usr/local/sbin/stunnel -p /etc/stunnel.pem \
  -l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \
  /bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d
  Maildir 21
 
 Try something like:
 
 [snip] /usr/local/sbin/stunnel -p /etc/stunnel.pem -N spop3 -f -l
 /var/qmail/bin/qmail-popup -- qmail-popup [snip]

No. Running stunnel not as daemon but under tcpserver is a good idea.
Maex posted a good example script a few days ago.

-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: stunnel/POP3 hanging ??

[Andrea Cerrito]

Probably a misunderstood.

  Try something like:
 
  [snip] /usr/local/sbin/stunnel -p /etc/stunnel.pem -N spop3 -f -l
  /var/qmail/bin/qmail-popup -- qmail-popup [snip]

 No. Running stunnel not as daemon but under tcpserver is a good idea.
 Maex posted a good example script a few days ago.

The first [snip] was the tcpserver command, the second one was the
qmail-command.
I just said that stunnel was bad invoked, infact I add the -N (servicename)
and the -f switch.

This is my run script under tcpserver, uptime 83days with no problems.

exec /usr/bin/env - PATH=/var/qmail/bin:$PATH \
/usr/local/bin/tcpserver -v -c 50 -H -P -R -l hostname ip port \
/usr/local/stunnel/sbin/stunnel -p /var/qmail/control/spop3.pem \
-N spop3 -f -l /var/qmail/bin/qmail-popup /var/qmail/bin/qmail-popup \
hostname /usr/local/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir
21

Just to be clear :)
---
Cordiali saluti / Best regards
Andrea Cerrito
^^
Net.Admin @ Centro MultiMediale di Terni S.p.A.
P.zzale Bosco 3A
05100 Terni IT
Tel. +39 0744 5441330
Fax. +39 0744 5441372

Re: Stunnel + qmail-smtpd

[Dave Sill]

Per-fredrik Pollnow (EPK) [EMAIL PROTECTED]
wrote:

I have been trying this in some desperate moments to get it to work(and some other 
things) :=) :

#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 200 \
/usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcp.smtp.cdb -c $MAXSMTPD \
 -u $QMAILDUID -g $NOFILESGID 0 smtp /usr/local/sbin/stunnel -p 
/etc/pem/smtp.pem -l /var/qmail/bin/qmail-smtpd 21

Try something like:

#!/bin/sh
exec /usr/local/sbin/stunnel -f -p /usr/local/etc/stunnel.pem -d 465 \
   -r 25 21

It proxies the existing SMTP service, so you automatically get
softlimit, a connection limit, and the qmail-smtpd processes running
with the right UID/GID. The only problem is that it'll make
connections look like they came from the local host, so selective
relaying, et al, won't work.

-Dave

[ot] on trust of SSL-certificates (was: stunnel and qmail-threads)

[Magnus Bodin]

Is there anyone using verisign or other trusted CA-signed certificates
for your stunnel-connections (pop3, smtp et al)?

What I really want to know is of course if you find it in any way
meaningful to use ssl-encryption without being able to trust the
certificates? Crypto is fine, but with these nice man-in-the-middle-attack
tools that exists today it may just give a false sense of security.

What's your opinion?

Or don't we want to discuss serious things on this list?

/magnus

Re: [ot] on trust of SSL-certificates (was: stunnel and qmail-threads)

[Henning Brauer]

On Mon, Jul 30, 2001 at 03:35:47PM +0200, Magnus Bodin wrote:
 What's your opinion?

Do I trust Verisign/Thawte? Surely not. The whole SSL signing infrastructure
is just a big money machine. The task of signing keys for apps like https
and smtp/pop3/imap ove SSL is sooo easy and really really easy to
automate through a mailrobot, it's a shame that someone wants more than 1$ a
year for that.
A kind of OpenCA would be nice, though worthless for most users as long as
M$ and Netscape/AOL don't include the certificate in their browsers, and we
should be sure Veridign  co pay a _lot_ for that.

-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

stunnel/POP3 hanging ??

[David Vrona]

Hi all,

I've been running a very stable RedHat installation with qmail for some 
time now.

Recently I've tried to install the stunnel wrapper on POP3.

I believe I've done everything as I should but clients cannot successfully 
retrieve e-mail.  It appears that something is hanging during the 
process.  The client program (Eudora) appears to be stuck trying to get e-mail.

On the server side I have the following in the log:

Jul 28 16:39:13 ikauni stunnel[5270]: Using 'qmail-popup' as tcpwrapper 
service name
Jul 28 16:39:13 ikauni stunnel[5270]: stunnel 3.16 on i686-pc-linux-gnu 
PTHREAD+LIBWRAP
Jul 28 16:39:13 ikauni stunnel[5270]: qmail-popup connected from 
192.168.1.3:1307
Jul 28 16:40:16 ikauni stunnel[5270]: SSL_accept: Peer suddenly disconnected

The last line occurs when I force the client to stop trying.

Here is my invocation of stunnel:

#!/bin/sh
exec /usr/local/bin/softlimit -m 300 \
/usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \
/usr/local/sbin/stunnel -p /etc/stunnel.pem \
-l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \
/bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d 
Maildir 21

I wonder if anyone has run into this situation?  I wish I could provide 
more information about what is going on.  I guess they are ways to trace 
this but I don't know how to do it.

Thanks for any ideas.

Dave


--
David Vrona - N9QNZ (Siesta Key, Florida)
PGP Key Fingerprint 42CA F54A A514 7DF7 2032  3F7F 91EB 89CD 1DE8 E856
Join our SETI@home amateur radio team at www.wuies.com

Re: stunnel/POP3 hanging ??

[Lordy]

Hi David,

i had a very similar problem with stunnel and POP3 on my mail server.

I installed and run stunnel pretty much the same way you did and tried to 
retrieve
mail with Eudora 5.1 which failed (unfortunately you didn't mention your Eudora
error message so I can't tell if it's the same one).

When I tried to connect with Outlook Express everything works just fine.

I guess this might be a problem in the SSL implementation in Eudora but I'm
not to sure about that. I've tried to find more information on SSL on the 
Qualcomm
pages but they don't provide anything there.

Sorry that I can not help you but let me know if find out anything about 
this issue.

Regards,
Lordy

At 16:15 28.07.2001 -0400, you wrote:
Hi all,

I've been running a very stable RedHat installation with qmail for some 
time now.

Recently I've tried to install the stunnel wrapper on POP3.

I believe I've done everything as I should but clients cannot successfully 
retrieve e-mail.  It appears that something is hanging during the 
process.  The client program (Eudora) appears to be stuck trying to get e-mail.

On the server side I have the following in the log:

Jul 28 16:39:13 ikauni stunnel[5270]: Using 'qmail-popup' as tcpwrapper 
service name
Jul 28 16:39:13 ikauni stunnel[5270]: stunnel 3.16 on i686-pc-linux-gnu 
PTHREAD+LIBWRAP
Jul 28 16:39:13 ikauni stunnel[5270]: qmail-popup connected from 
192.168.1.3:1307
Jul 28 16:40:16 ikauni stunnel[5270]: SSL_accept: Peer suddenly disconnected

The last line occurs when I force the client to stop trying.

Here is my invocation of stunnel:

#!/bin/sh
exec /usr/local/bin/softlimit -m 300 \
/usr/local/bin/tcpserver -v -likauni.vrona.com -H -R 0 pop3 \
/usr/local/sbin/stunnel -p /etc/stunnel.pem \
-l /var/qmail/bin/qmail-popup -- qmail-popup ikauni.vrona.com \
/bin/checkpassword /usr/sbin/relay-ctrl-allow /var/qmail/bin/qmail-pop3d 
Maildir 21

I wonder if anyone has run into this situation?  I wish I could provide 
more information about what is going on.  I guess they are ways to trace 
this but I don't know how to do it.

Thanks for any ideas.

Dave


--
David Vrona - N9QNZ (Siesta Key, Florida)
PGP Key Fingerprint 42CA F54A A514 7DF7 2032  3F7F 91EB 89CD 1DE8 E856
Join our SETI@home amateur radio team at www.wuies.com

Re: stunnel

[Andrea Cerrito]

This is my run script.

exec /usr/bin/env - PATH=/var/qmail/bin:$PATH \
/usr/local/bin/tcpserver -v -c 50 -H -P -R -l hostname ip port \
/usr/local/stunnel/sbin/stunnel -p /var/qmail/control/spop3.pem -N spop3 \
-f -l /var/qmail/bin/qmail-popup /var/qmail/bin/qmail-popup hostname \
/usr/local/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 21

-p pemfile
-N wrapper name (spop3 = secure pop3)
-f don't fork
-l command to run

Working perfectly. The only problem I encountered was solved by using a
double qmail-popup after -l switch ('-l /var/qmail/bin/qmail-popup
/var/qmail/bin/qmail-popup').
Don't remember why, but I think stunnel can't work with either pop3 or smtp
as a redirector.

Hope it helps.
---
Cordiali saluti / Best regards
Andrea Cerrito
^^
Net.Admin @ Centro MultiMediale di Terni S.p.A.
P.zzale Bosco 3A
05100 Terni IT
Tel. +39 0744 5441330
Fax. +39 0744 5441372

stunnel

[Per-fredrik Pollnow (EPK)]

Hi,

I was wondering if there is anyone(probebly someone) who is using stunnel for the 
qmail-pop3d server. I get this error message on the server all the time when I tray to 
connect to my pop3d on port 995 with my SSL client.

I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l 
/var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995

And this is the screenshot from the foreground mode:
2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as tcpwrapper 
service name
2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 
PTHREAD+LIBWRAP
2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 
136.225.42.196:4497
2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2)
2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected
2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4)
2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 bytes 
sent to socket

I'm using qmail on OpenBSD2.9..

Anyone who knows what's wrong?

stunnel

[Per-fredrik Pollnow (EPK)]

 Hi,
 
 I was wondering if there is anyone(probebly someone) who is using stunnel for the 
qmail-pop3d server. I get this error message on the server all the time when I tray 
to connect to my pop3d on port 995 with my SSL client.
 
 I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l 
/var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995
 
 And this is the screenshot from the foreground mode:
 2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as 
tcpwrapper service name
 2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 
PTHREAD+LIBWRAP
 2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 
136.225.42.196:4497
 2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2)
 2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected
 2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4)
 2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 
bytes sent to socket
 
 I'm using qmail on OpenBSD2.9..
 
 Anyone who knows what's wrong?

Re: stunnel

[Markus Stumpf]

On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) wrote:
 I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l 
/var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995
 [ ... ]
 Anyone who knows what's wrong?

We do it that way:

exec /usr/local/bin/tcpserver -R -v -c 50   \
-l popmail.space.net\
195.30.0.14 pop3s   \
/usr/local/sbin/stunnel \
-p /usr/local/services/apache-webmail/conf/ssl/space.pem \
-l /var/qmail/bin/qmail-popup -- qmail-popup\
popmail.space.net   \
/var/qmail/contrib/checkpassword\
/var/qmail/bin/qmail-pop3d Maildir 21 \
| /var/qmail/bin/splogger qmail-pop3d-ssl 17 

Works without problems ...

\Maex

-- 
SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research  Development |   D-80807 Muenchen| Fax: +49 (89) 32356-299
Stress is when you wake up screaming and you realize you haven't fallen
asleep yet.

Re: stunnel

[Magnus Bodin]

On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) wrote:
 Hi,
 
 I was wondering if there is anyone(probebly someone) who is using stunnel for the 
qmail-pop3d server. I get this error message on the server all the time when I tray 
to connect to my pop3d on port 995 with my SSL client.
 
 I start the stunnel like this: /usr/local/sbin/stunnel -p
 /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995

You should not pass the parameters like that with the -l parameter. 

From the top of my head (can be wrong)

/usr/local/bin/tcpserver 0 995 /usr/local/sbin/stunnel -p /etc/stunnel.pem -l 
/var/qmail/bin/qmail-popup -- qmail-popup pop.example.com /bin/checkpassword '~' 
/var/qmail/bin/qmail-pop3d Maildir

/magnus (lycka till)

-- 
Unfortunately, those people who have nothing better to do than post on the
 Internet all day long are rarely the ones who have the most insights.
   - Jakob Nielsen, August 1997

Re: stunnel

[MarkD]

On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) allegedly wrote:
 Hi,
 
 I was wondering if there is anyone(probebly someone) who is using stunnel for the 
qmail-pop3d server. I get this error message on the server all the time when I tray 
to connect to my pop3d on port 995 with my SSL client.
 
 I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l 
/var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995
 
 And this is the screenshot from the foreground mode:
 2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as 
tcpwrapper service name
 2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 
PTHREAD+LIBWRAP
 2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 
136.225.42.196:4497
 2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2)
 2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected
 2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4)
 2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 
bytes sent to socket
 
 I'm using qmail on OpenBSD2.9..
 
 Anyone who knows what's wrong?

Yes. You need to read the stunnel documentation more
closely. Especially look at the examples in the stunnel man page and
note how the command and arguments after -l are constructed. Also note
how they have to be the last arguments on the command line.

qmail-pop3d works just fine with stunnel - if you get the stunnel
invocation right.


Regards.

Re: stunnel

[Greg White]

On Thu, Jul 26, 2001 at 03:37:41PM +0200, Per-fredrik Pollnow (EPK) wrote:
  Hi,
  
  I was wondering if there is anyone(probebly someone) who is using stunnel for the 
qmail-pop3d server. I get this error message on the server all the time when I tray 
to connect to my pop3d on port 995 with my SSL client.
  
  I start the stunnel like this: /usr/local/sbin/stunnel -p /etc/stunnel.pem -l 
/var/qmail/bin/qmail-pop3d Maildir 21 -f -d 995
  
  And this is the screenshot from the foreground mode:
  2001.07.26 15:24:31 LOG5[27215:73728]: Using 'qmail-pop3d Maildir 21' as 
tcpwrapper service name
  2001.07.26 15:24:31 LOG5[27215:73728]: stunnel 3.16 on i386-unknown-openbsd2.9 
PTHREAD+LIBWRAP
  2001.07.26 15:25:58 LOG5[27215:75776]: qmail-pop3d Maildir 21 connected from 
136.225.42.196:4497
  2001.07.26 15:25:58 LOG3[27961:75776]: execvp: No such file or directory (2)
  2001.07.26 15:29:32 LOG3[27215:77312]: SSL_accept: Peer suddenly disconnected
  2001.07.26 15:29:32 LOG3[27215:75776]: select: Interrupted system call (4)
  2001.07.26 15:29:32 LOG5[27215:75776]: Connection reset: 0 bytes sent to SSL, 0 
bytes sent to socket
  
  I'm using qmail on OpenBSD2.9..
  
  Anyone who knows what's wrong?

IIRC, stunnel just wraps an existing daemon, no? Take the example 'run'
script from LWQ for pop3 service, and add the stunnel commands, so that
the old 'run' script is passed to stunnel as the '-l' argument.

-- 
Greg White

Re: stunnel

[Clay Fouts]

On Thu, Jul 26, 2001 at 02:44:17PM +0200, Per-fredrik Pollnow (EPK) wrote:
 Hi,
 
 I was wondering if there is anyone(probebly someone) who is using
 stunnel for the qmail-pop3d server. I get this error message on the
 server all the time when I tray to connect to my pop3d on port 995
 with my SSL client.
 
 I start the stunnel like this: /usr/local/sbin/stunnel -p
 /etc/stunnel.pem -l /var/qmail/bin/qmail-pop3d Maildir 21 -f -d
 995

Stunnel is interpreting the arg to -l as a single filename, rather
than parsing it into seperate arguments.  I believe you want to use
something like this (untested):

/usr/local/sbin/stunnel -p /etc/stunnel.pem -f -d 955 \
  -l /var/qmail/bin/qmail-pop3d -- qmail-pop3d Maildir 21

Of course, you could also just use stunnel as a redirector as in:

/usr/local/sbin/stunnel -f -D 4 -p /etc/stunnel.pem -d 995 -r 110

This will simply decrypt and the pass the connection's data over to
your standard pop3 program that runs under tcpserver/inetd/etc.

Clay

 PGP signature

Re:tcpserver stunnel

[chun_huang]

Hi, here some command need to run after install openssl and stunnel. It's provided by 
my friend Wu Hui, who is a CA fan. Hope it's useful to you. :)

-HuangChun

1.generate the digital certificate:
private key is stored into file "test1key.pem"£¬
the content of certificate is stored into file "test1req.pem"

#cd /usr/local/ssl
#./bin/openssl req -new -keyout test1key.pem -out test1req.pem

2.Issue the digital certificate:

#cd /usr/local/ssl
# ./bin/openssl ca -policy policy_anything -infiles test1req.pem

3.save the certificate got from step 2 into the directory used by stunnel

4.check the content of certificate£º
#cd the directory of step 4 
# /usr/local/ssl/bin/openssl x509 -in 03.pem -text

5.get the password of private key
#cd /usr/local/ssl
#./bin/openssl rsa -in test1key.pem -out testkey.pem

6.modify the password of private key
#cd /usr/local/ssl
#./bin/openssl rsa -in test1key.pem -out testkey.pem -des3

7.start pop3d with stunnel:
#stunnel -d pop3s -p /usr/local/ssl/certs/stunnel.pem -l /var/qmail/bin/qmail-popup 
...
-l is followed by the command used in inetd.conf for pop3d daemon.


Does anyone have a working tcpserver w/stunnel configuration they'd like to
share?  From the list archives I gather a patch is in order however the
last posts on the topic are from '98 and that code appears to be out-dated.

I'm using stunnel 3.4a from the Debian packages (potato).  I'm specifically
interested in enabling SSL pop3, but seeing any configs for SSL smtp
wouldn't be uninteresting either.  TIA

-- 
Jamie Heilman   http://wcug.wwu.edu/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly, she's 
 not for you." She was cheap, she was stupid and she wouldn't load 
 -- well, not for me, anyway." -Holly

_
һ·ÉÏÓÐÄ㣬¿àÒ»µãÒ²Ô¸Ò⣡
--ΪÄãϲ°®ÓëÖ§³ÖµÄ263Ê׶¼ÔÚÏߣ¨http://www.263.net£©Í¶Ò»Æ±£¡
ÎÒҪͶƱ£¡£¨http://fsurvey.cnnic.net.cn/survey/index.html£©

Re: tcpserver stunnel

[Jamie Heilman]

Bradey Honsinger wrote:

 I'm not currently blocking normal POP3 connections, but as I understand
 it you use tcpserver to only accept pop3 traffic from localhost (which
 limits it to accepting connections forwarded from the s-pop3 port to the
 pop3 port using stunnel), in much the same way you configure qmail-smtpd
 to only relay mail from specific IPs.

Yeah, I think this is what I'll end up doing too.  I have a test setup with
it and it works pretty well.  The only downside to this that I can see is
that using stunnel in daemon mode I don't get concurrency limits or any of
the other tcpserver benefits for the initial ssl connections.  I could run
stunnel out of xinetd I suppose but then I wouldn't get the ssl caching
hoo-ha that stunnel can do.

So what's the general thought on just adding TLS/SSL support to tcpserver,
is that outside of the ucspi-tcp model, better left up to a separate
program, or something that would be nice but just hasn't been done yet?

-- 
Jamie Heilman   http://wcug.wwu.edu/~jamie/
"We must be born with an intuition of mortality.  Before we know the words
 for it, before we know there are words, out we come bloodied and squalling
 with the knowledge that for all the compasses in the world, there's only
 direction, and time is its only measure."  -Rosencrantz

RE: tcpserver stunnel

[Bradey Honsinger]

jamie sez:
 snip The only downside to this that I can
 see is that using stunnel in daemon mode I don't get concurrency limits
 or any of the other tcpserver benefits for the initial ssl connections.
 I could run stunnel out of xinetd I suppose but then I wouldn't get the
 ssl caching hoo-ha that stunnel can do.

I poked around a bit, and there's a (much) earlier thread on this list about
running stunnel under tcpserver--apparently the reason stunnel and tcpserver
don't (didn't?) get along is that stunnel wants to be argv[0]. There's a
patch for stunnel (from 1998, so it probably needs to be modified for the
current version). There's also an argv0 program that comes with ucspi-tcp
that also looks like it would solve the problem. Finally, there are a few
sample startup scripts that imply that that's not really a problem anymore,
and stunnel and tcpserver coexist fine.

From searching the archive at http://www-archive.ornl.gov:8000/ for
"tcpserver stunnel":

A message describing the problem, which sounds like what I saw, is at:
http://www.ornl.gov/its/archives/mailing-lists/qmail/1998/09/msg00723.html

The message with the (old) patch:
http://www.ornl.gov/its/archives/mailing-lists/qmail/1998/09/msg00743.html

A very informative message from this May, with a cool stunnel startup
script, implying that stunnel will indeed run under tcpserver:
http://www.ornl.gov/its/archives/mailing-lists/qmail/2000/05/msg01621.html

That last message also implies that qmail-smtpd will run under stunnel
without modification. I'll try these things out when I get a chance, and
report back to y'all.

 So what's the general thought on just adding TLS/SSL support
 to tcpserver,
 is that outside of the ucspi-tcp model, better left up to a separate
 program, or something that would be nice but just hasn't been
 done yet?

I'd guess that DJB feels it's better left up to a separate program, but I'm
sure there are others more qualified to give an opinion--anyone?

- Bradey

tcpserver stunnel

[Jamie Heilman]

Does anyone have a working tcpserver w/stunnel configuration they'd like to
share?  From the list archives I gather a patch is in order however the
last posts on the topic are from '98 and that code appears to be out-dated.

I'm using stunnel 3.4a from the Debian packages (potato).  I'm specifically
interested in enabling SSL pop3, but seeing any configs for SSL smtp
wouldn't be uninteresting either.  TIA

-- 
Jamie Heilman   http://wcug.wwu.edu/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly, she's 
 not for you." She was cheap, she was stupid and she wouldn't load 
 -- well, not for me, anyway."  -Holly

qmail-smtpd and stunnel

[Johan Almqvist]

Hi!

I'm using stunnel (with -n smtp) to do smtp-over-ssl (or TLS). However,
there is one problem: I can't get the Recieved: line to show the host that
originally connected - at least not with stunnel in port forwarding mode.
Maybe I should run qmail-smtpd from stunnel's command line, with tcpserver
(wich i like) running stunnel (and thus setting the ENV correctly)? Yeah,
I'll try that.

Okay, I kinda answered my own question... Any hints/tips/pointers before
i start (BTW: same problem with apache...)

-Johan
-- 
Johan Almqvist

OT Answer: imap + ssl -- stunnel is the answer

[Martin A. Brown]

Julien,

If you are using stunnel try the stunnel users list

http://www.onsight.com/faq/stunnel/stunnel-faq-9.html

But one quick thing you can do is

stunnel -D 7 -f -d 993 -r localhost:143 

(for IMAP).  The ``-D 7'' puts stunnel into debug mode and  the ``-f''
keeps it in foreground mode, so it will log directly to your current
terminal.  Stunnel has very good error messages.

Check several things.

Permissions on the certificate.
That there's a daemon listening on 127.0.0.1:143  (localhost:143)

Best of luck,

-Martin

On Thu, 25 May 2000, Christian Wiese wrote:

:Hi Julien,
:
:I would suggest that the problem is not at the qmail-imap site, but
:rather on the client (Outlook) site.
:I don't know much about Outlook and I don't like it, but I think Outlook
:can't handle SSL connections.
:Please try to find some informations about Outlook and it's
:possibilities regarding SSL connections to IMAP servers.
:
:greetings
:
:christian
:
:Julien Marguet schrieb:
:
: Hi all
: I try to install ssl on a mail-server that I just have
: installed for an hospital
:
: I use qmail 1.03, and imap (courier-imap 0.32 from
: inter7.com).
:
: I use this link to install ssl:
: http://security.fi.infn.it/tools/stunnel/index-en.html
: but it doesn't work.
:
: when I use the script imap.rc from courier-imap the
: connection with an (Outlook) client= OK. (without ssl)
:
: when I use the script imap-ssl.rc from courier-imap there
: is no connection with the client : it say no server
: securise.
:
:  ssl doesn't work.
: What files do I see or change ?
:
:
:
: ___
: Vendez tout... aux enchères - http://www.caraplazza.com
:
:

-- 
Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED]

OT: SSL wrapper scripts, stunnel and description

[Martin A. Brown]

Hello all,

I have seen some questions over the last week about adding SSL (secure
sockets layer) support to standard plaintext services.  This is something
for which the package stunnel is perfect.

If you are interested in offering SSL services for your currently 
plaintext daemons, you can use stunnel independently of the plaintext
service to provide SSL service.

For further information on the package, check out the stunnel page:

http://mike.daewoo.com.pl/computer/stunnel/

The beauty of stunnel (IMHO) is that you can run it in client or server
mode, and it can listen on one IP and forward to another (local or
remote).  (You can also listen on INADDR_ANY, or INADDR_LOOPBACKD.)

I hope the die-hard list readers will forgive that I have attached two
scripts I wrote to work as a drop in service startup script for as many
wrappers as you'd like.  My script assumes that you are running tcpserver,
and (unfortunately) assumes the old-style supervise (daemontools 0.53).
(If we ever migrate to the newer model, I'll rewrite these scripts a bit.)

One last kicker, and that is that stunnel can run in "transparent
proxying" mode which allows you to use it for SMTPS (port 465) without
changing your tcprules for your SMTP service.  All you need is to have
transparent proxying support in your kernel.

One could certainly run stunnel in ``-d'' mode without tcpserver, but I'm
so accustomed to runinng things under tcpserver (I like the process model)
that I have included it in the script.

I hope it proves useful to somebody besides me,

-Martin

-- 
Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED]


#!/bin/sh
#
# stunnel   starts/stops stunnel
#
# chkconfig: 345 72 38
#
# -- generic stunnel startup script
#+  WRAPNAME   = key for tcp_wrapper lookup in /etc/hosts.allow file
#+  LISTENIP   = INADDR_ANY by default or user-specified
#+  TARGETIP   = INADDR_LOOPBACK by default or user-specified
#+  LISTENPORT = yep. the port we are listening for connections on
#+  TARGETPORT = boy, these names almost make sense
#+  SWITCH = leave empty for server mode, make "-c" for client mode
#+  RULES  = tcprules.cdb file to call from tcpserver
#+  PEMFILE= another very important, obviously named variable
#
# -- I'd like to compile a version of stunnel which doesn't do the
#tcp_wrappers in the /etc/hosts.allow file--because having tcpserver
#and stunnel doing IP checking doesn't make a whole lot of sense to me
#

## -- die and complain if we don't /at least/ get these two
TARGETPORT=${TARGETPORT:?}
LISTENPORT=${LISTENPORT:?}

## -- define all of the variables first
SUPERVISEDIR=/var/lock/svc
LISTENIP=${LISTENIP:=0.0.0.0}
TARGETIP=${TARGETIP:=127.0.0.1}
WRAPNAME=${WRAPNAME:=stunnel}
PEMFILE=${PEMFILE:=/var/openssl/certs/trusted/stunnel.pem}

## set the service name for supervise
SERVICE=stunnel${LISTENPORT}

# See how we were called
case "$1" in
  start)
mkdir -p ${SUPERVISEDIR}/${SERVICE}
    echo -n "Starting stunnel on ${LISTENIP}:${LISTENPORT}: " 
env - supervise ${SUPERVISEDIR}/${SERVICE} \
tcpserver -RH -c 40 \
${LISTENIP} ${LISTENPORT} \
/usr/sbin/stunnel ${WRAPNAME} ${SWITCH} -f \
-r ${TARGETIP}:${TARGETPORT} \
-p ${PEMFILE} 
echo done
;;
  stop)
echo -n "Shutting down stunnel on ${LISTENIP}:${LISTENPORT}"
svc -dx ${SUPERVISEDIR}/${SERVICE}
echo
;;
  status)
echo -n "stunnel on port ${LISTENIP}:${LISTENPORT}"
svstat ${SUPERVISEDIR}/${SERVICE} | tailocal
;;
  restart)
"$0" stop
sleep 1
    "$0" start
exit 0
;;
  *)
echo "Usage: stunnel {start|stop|status|restart}"
exit 1
esac


#!/bin/bash
#
#

# -- the first service...define what you need and call the script
#which sets some defaults 
# 
#  DON'T GET BITTEN BY THE PATH PROBLEM IN THIS SCRIPT
#  CHANGE IT TO YOUR NEED FOR YOUR SYSTEM.  :-)
#

# -- now just redefine and call the startup script again
#
#

LISTENIP=127.0.0.1
TARGETIP=remote.mailserver
LISTENPORT=143
TARGETPORT=993
SWITCH="-c"

. ./stunnel-startup

LISTENIP=my.ethernet.interface
TARGETIP=127.0.0.1
LISTENPORT=465
TARGETPORT=25

#. ./stunnel-startup

stunnel + qmail + vpopmail

[Bill Parker]

Hello All,

I was wondering if there is any need for something like stunnel when
used in conjunction with qmail + vpopmail for secure transmission of
usernames and passwords for pop3d based stuff...or does it encrypt on it's
own (not that I see from initial install)

-Bill