smtps

Started by gato, February 04, 2004, 06:04:25 PM

Previous topic - Next topic

gato

My smtps.

Install stunnel-4.04 by ports.
It is at /usr/ports/security/stunnel.

make /usr/local/etc/stunnel/stunnel.conf.

Quote:


   cert = /usr/local/etc/stunnel/servercert.pem
   chroot = /var/tmp/stunnel
   pid = /stunnel.pid
   setuid = stunnel
   setgid = stunnel

   #CAfile = /usr/local/etc/stunnel/certs.pem
   #If you have certs.pem, uncomment this line.

   debug = 5
   output = /var/log/stunnel.log

   client = no

   [ssmtp]
   accept  = my_host_name:465
   connect = my_host_name:25



mv /usr/local/etc/rc.d/stunnel.sh.sample /usr/local/etc/rc.d/stunnel.sh
cp /var/qmail/control/servercert.pem /usr/local/etc/stunnel
chown stunnel:stunnel /usr/local/etc/stunnel/servercert.pem

It's very easy.

--
mailto:gato@intaa.net" target="_blank">gato@intaa.net




I cannot post mail-toaster mailinglist. Why?
ezmlm-reject: fatal: List address must be in To: or Cc: (#5.7.0)

gato

mkdir /var/tmp/stunnel
chown stunnel:stunnel /var/tmp/stunnel

matt

Folks, be VERY careful about using stunnel on your mail servers. It has consequences that you may not think about.

Say, for example you used stunnel for both SMTP and POP3.  Let's say that you are also using POP before SMTP authentication. A user connections via POP3-SSL and authenticates. Stunnel accepts the SSL connection and then spawns a new connection to the real POP3 port on the local server. Only problem is, now the REMOTEIP is the IP of the stunnel server (127.0.0.1), not the remote mail client.

You have now granted localhost relay permission. No big deal right?  Wrong, because you've done the same for SMTP. Now, any client that connects via SMTPS will have their connection redirected and qmail-smtpd will see a REMOTEIP of 127.0.0.1, no matter what the original IP they connect from is. Thus, you now have an open relay.

The Mail::Toaster already has TLS encryption as part of the smtp daemon. It's enabled by default. Really. There's nothing else you have to do. If you also want a SMTP daemon listening on port 465 (the smtps port), copy the smtp service, modify the port from "smtp" to "smtps" and run it as well.

Be safe,
Matt

gato

That's right. Using by pop before smtp is dangerous.
OK.
How is next it?

cp -pR /var/qmail/supervise/smtp /var/qmail/supervise/smtps
ln -s /var/qmail/supervise/smtps /var/service/smtps

Edit /var/qmail/supervise/smtps/run file.
    #!/bin/sh
    PATH=/var/qmail/bin:/usr/local/vpopmail/bin:/usr/local/bin:/usr/bin:/bin
    export PATH
    SMTPSPORT=465
    export SMTPSPORT
    TLS_CERTFILE="/var/qmail/control/servercert.pem"
    export TLS_CERTFILE
    TLS_PROTOCOL=SSL3
    export TLS_PROTOCOL
    TLS_STARTTLS_PROTOCOL=TLS1
    export TLS_STARTTLS_PROTOCOL
    TLS_VERIFYPEER=NONE
    export TLS_VERIFYPEER

    QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
    export QMAILQUEUE

    if [ ! -f /var/qmail/control/rcpthosts ]; then
           echo "No /var/qmail/control/rcpthosts!"
           echo "Refusing to start SMTP listener because it'll create an open relay
    "
           exit 1
    fi
    exec softlimit -m 40960000 tcpserver -S -R -p -c25 \
           -x /usr/local/vpopmail/etc/tcp.smtp.cdb -u 89 -g 89 0 smtps \
           /usr/local/bin/couriertls -server -tcpd qmail-smtpd
your.toaster.host \
       /usr/local/vpopmail/bin/vchkpw /usr/bin/true 2>&1[/list:u]

Edit /var/qmail/supervise/smtps/log/run
    #!/bin/sh

    PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
    export PATH

    exec setuidgid qmaill multilog t !./smtplog s100000 /var/log/mail/smtps[/list:u]

    Point! "couriertls"

jostreff

Hi All,
this doesn't work with
openssl-0.9.8g, courier-imap-4.3.0_1,2, vpopmail-5.4.26
I see in my debug log:
DEBUG: Unexpected SSL connection shutdown, and I see if I manualy start couriertls that SSL version wasn't negotiated.

Please any help is welcome ;)

matt

My solution is a bit simpler.

# services stop
# cd /var/qmail/supervise && cp -r smtp smtps
# vi smtps/run

add export SMTPS=1 to the run file after the export $PATH line.