Re: stunnel, OpenSSL, certificates, etc. [was: SMTP server or "forwarding"?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/29/05, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:
> On Mon, 2005-08-29 at 22:22, Jonathan Berry wrote:
> > I don't know about this.  Even if one is there, I have no idea where
> > it is.  Is there a way to find a server that might be there but I
> > don't know about?
> 
> Ask whoever provides the internet connection.

Well, the University states that only University employees have access
to their email via IMAP.  Students are stuck with a web-based
interface, so I don't think there is one available for use.

> > > Stunnel works very much like the xinetd proxy, but the connecting side
> > > runs over ssl.  The client side of this is built into many email
> > > programs that know how to use port 465 for a secure connection.  The
> > > 'back end' conection runs unencrypted so sending on port 25 to the
> > > smtp server automatically works.
> >
> > Yeah, I've figured out that much :).  Now, what I'm not sure about is
> > how the ssl stuff works.  Does the client need to have the certificate
> > to connect, or is it like https where the cert is transferred
> > automatically?
> 
> That's up to the stunnel config.  It doesn't have to require
> a client cert.

So there are two different types?  How do I set it up to where the
client must have a client cert to connect?

> > If it is automatic, is it more secure because whatever
> > is connecting must know to use ssl?
> 
> Normally the 'secure' part involves keeping 3rd parties from
> being able to intercept and decipher the traffic.  In the

Well, yeah, I meant besides that.  I'm more worried about someone
connecting to the SMTP server than seeing what is transmitted.  It's
all clear text to my ISP's server anyway.

> context of your own mail server you might require ssl and
> a login/password authentication to permit mail relaying
> instead of a client certificate. The point of ssl would be
> mostly to avoid sending the password in clear text.

I'd rather not go to the trouble of setting up a whole mail server (at
least not now).  Is there a way to require a username/password to do
the port forwarding stuff (stunnel or xinetd redirect)?

> >  I've been trying to find
> > documentation on setting up stunnel, but am having trouble finding
> > useful stuff.  Some stuff is on stunnel 3 rather than 4, which is very
> > different in setup and use.  I have found some things on OpenSSL to
> > try to figure out the certificate stuff, but cannot seem to find the
> > necessary things on Fedora.  OpenSSL is installed according to RPM,
> > but I cannot find some things mentioned in the docs I have found.
> 
> Your fedora install should have some things set up in
> /usr/share/ssl/certs.  If you cd there and enter:
> "make stunnel.pem" it should prompt you through building
> a server certificate that will be all you need if
> you don't require matching client certs.

Hmm, no actually there is no /usr/share/ssl/certs/  I decided to go
back to man rpm and find the flag to list the files provided by a
package (-ql):

# rpm -ql openssl
/etc/pki/CA
/etc/pki/CA/private
/etc/pki/tls
/etc/pki/tls/cert.pem
/etc/pki/tls/certs
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/misc
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private
...

Exactly what I needed to know.  I did the "make stunnel.pem" and it
seems like Outlook sees the ssl stuff (it complains about the cert (of
course) and telling it not to accept it crashes it :)).  Now, what
else do I need to do to use a client cert?  Am I right in thinking
that I can set it up to where the cleint must have something (I'm
assuming a certificate or some sort) in order to connect to the
server?

Thanks for your help Les.

Jonathan


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux