Hello List,
On Wednesday, May 22, 2002 at 8:16:57 PM [EMAIL PROTECTED] wrote (at
least in part):
Tec Which connection are you using TLS or STARTTLS? To a standard port?
TLS.
StartTLS can't be done using 'stunnel', as 'stunnel' itself expects
SSL/TLS-encrypted communication starting with establishing the TCP
connection itself.
On the other side 'STARTTLS' opens a 'normal plain text' connection
and requests the other party by issuing this command to _Switch_ to
SSL-encryption.
As you can see: the other end has to know what to expect at connection
establishing: text or binary SSL ...
that's the reason why STARTTLS is done using 'normal' ports and
SSL/TLS using higher ports: to divert between them ...
STARTLS has to be supported by the application / daemon itself, TLS
can be wrapped if the daemon is able to work with STDIN/STDOUT.
Tec My inital problem was trying to do STARTTLS with SMTP and stunnel with
Tec The Bat!, but TB! was issuing STARTTLS before EHLO and stunnel
Tec would error and close connection.
That's quite correct. 'stunnel' ain't build for STARTTLS. You'd need a
SMTP-Daemon having this on the feature list.
Tec But if you are using POP3 I'm guessing you have it setup with TLS on a
Tec dedicated pop3s port.
And SMTP too ... quite useless, both of it, as it's mainly used in my
LAN, therefor only set up for testing The Bat!'s capabilities, but it
works :-)
Tec Still good to know the SSL connection works.
Tec What flags / certs are you using with the connection?
On server side I generated a new x509 cert, private and public key.
The public key you'll need to store in The Bat! address book in
'Trusted Root CA' in a new entry.
Be aware: the 'CN' of the cert has to be exactly the server name The
Bat! is using for the connection.
As I'm using qmail-smtpd and qmail-popup my start scripts are like
this:
,-= [ qmail-pop3sd ] =-
| exec softlimit -m 4194304 tcpserver -R 0 995 \
| /usr/sbin/stunnel -f -D 3 \
| -p /etc/ssl/certs/pop3sd.pem \
| -l /var/qmail/bin/qmail-popup -- qmail-popup \
| `cat /var/qmail/control/me` \
| /usr/local/bin/checkpw sh -c '
| if [ -n $EXT ]; then DASH=-; fi
| exec /var/qmail/bin/qmail-pop3d Maildir$DASH$EXT
| ' 21
`-=
,-= [ qmail-smtpsd ] =-
| exec softlimit -m 4194304 \
| tcpserver -t 10 -Q -x /etc/qmail/tcp.smtp.cdb \
| -u $QMAILDUID -g $NOFILESGID -c $MAXSMTPD \
| -l siliki.sunrise.local 0 465 \
| /usr/sbin/stunnel -f -D 3 \
| -p /etc/ssl/certs/smtpsd.pem \
| -l /usr/local/bin/fixcrio -- smtp $rbl /var/qmail/bin/qmail-smtpd 21
`-=
'$QMAILDUID' '$NOFILESGID' are qmail installation specific,
'$MAXSMTPD' is the maximum number of concurrent connections.
'$rbl' is my RBL-settings string, build dynamically at starting the
script from some configuration files, you can avoid it.
'pop3sd.pem' and 'smtpsd.pem' are hard links to the same file right
now, when starting to play with this subject I had some access right
trouble and had copied them. You'll have to have a look at stunnel
output when setting this up, it needs some observation on
certification file rights (owner and 'rwx' flags).
HTH Pit
--
Regards
Peter Palmreuthermailto:[EMAIL PROTECTED]
(The Bat! v1.60m on Windows 2000 5.0 Build 2195 Service Pack 1)
Language is a virus from outer space. (William S. Burroughs)
__
Archives : http://tbtech.thebat.dutaint.com
Moderators : mailto:[EMAIL PROTECTED]
Unsubscribe: mailto:[EMAIL PROTECTED]
