Hello List, On Wednesday, May 22, 2002 at 8:16:57 PM [EMAIL PROTECTED] wrote (at least in part):
Tec> Which connection are you using TLS or STARTTLS? To a standard port? TLS. StartTLS can't be done using 'stunnel', as 'stunnel' itself expects SSL/TLS-encrypted communication starting with establishing the TCP connection itself. On the other side 'STARTTLS' opens a 'normal plain text' connection and requests the other party by issuing this command to _Switch_ to SSL-encryption. As you can see: the other end has to know what to expect at connection establishing: text or binary SSL ... that's the reason why STARTTLS is done using 'normal' ports and SSL/TLS using higher ports: to divert between them ... STARTLS has to be supported by the application / daemon itself, TLS can be wrapped if the daemon is able to work with STDIN/STDOUT. Tec> My inital problem was trying to do STARTTLS with SMTP and stunnel with Tec> The Bat!, but TB! was issuing "STARTTLS" before "EHLO" and stunnel Tec> would error and close connection. That's quite correct. 'stunnel' ain't build for STARTTLS. You'd need a SMTP-Daemon having this on the feature list. Tec> But if you are using POP3 I'm guessing you have it setup with TLS on a Tec> dedicated pop3s port. And SMTP too ... quite useless, both of it, as it's mainly used in my LAN, therefor only set up for testing The Bat!'s capabilities, but it works :-) Tec> Still good to know the SSL connection works. Tec> What flags / certs are you using with the connection? On server side I generated a new x509 cert, private and public key. The public key you'll need to store in The Bat! address book in 'Trusted Root CA' in a new entry. Be aware: the 'CN' of the cert has to be exactly the server name The Bat! is using for the connection. As I'm using qmail-smtpd and qmail-popup my start scripts are like this: ,-----= [ qmail-pop3sd ] =----- | exec softlimit -m 4194304 tcpserver -R 0 995 \ | /usr/sbin/stunnel -f -D 3 \ | -p /etc/ssl/certs/pop3sd.pem \ | -l /var/qmail/bin/qmail-popup -- qmail-popup \ | `cat /var/qmail/control/me` \ | /usr/local/bin/checkpw sh -c ' | if [ -n "$EXT" ]; then DASH="-"; fi | exec /var/qmail/bin/qmail-pop3d Maildir"$DASH""$EXT" | ' 2>&1 `-----= ,-----= [ qmail-smtpsd ] =----- | exec softlimit -m 4194304 \ | tcpserver -t 10 -Q -x /etc/qmail/tcp.smtp.cdb \ | -u $QMAILDUID -g $NOFILESGID -c "$MAXSMTPD" \ | -l siliki.sunrise.local 0 465 \ | /usr/sbin/stunnel -f -D 3 \ | -p /etc/ssl/certs/smtpsd.pem \ | -l /usr/local/bin/fixcrio -- smtp $rbl /var/qmail/bin/qmail-smtpd 2>&1 `-----= '$QMAILDUID' & '$NOFILESGID' are qmail installation specific, '$MAXSMTPD' is the maximum number of concurrent connections. '$rbl' is my RBL-settings string, build dynamically at starting the script from some configuration files, you can avoid it. 'pop3sd.pem' and 'smtpsd.pem' are hard links to the same file right now, when starting to play with this subject I had some access right trouble and had copied them. You'll have to have a look at stunnel output when setting this up, it needs some observation on certification file rights (owner and 'rwx' flags). HTH Pit -- Regards Peter Palmreuther mailto:[EMAIL PROTECTED] (The Bat! v1.60m on Windows 2000 5.0 Build 2195 Service Pack 1) Language is a virus from outer space. (William S. Burroughs) ______________________________________________________ Archives : http://tbtech.thebat.dutaint.com Moderators : mailto:[EMAIL PROTECTED] Unsubscribe: mailto:[EMAIL PROTECTED]
