On 8/29/05, Les Mikesell <lesmikesell@xxxxxxxxx> wrote: > On Mon, 2005-08-29 at 22:22, Jonathan Berry wrote: > > I don't know about this. Even if one is there, I have no idea where > > it is. Is there a way to find a server that might be there but I > > don't know about? > > Ask whoever provides the internet connection. Well, the University states that only University employees have access to their email via IMAP. Students are stuck with a web-based interface, so I don't think there is one available for use. > > > Stunnel works very much like the xinetd proxy, but the connecting side > > > runs over ssl. The client side of this is built into many email > > > programs that know how to use port 465 for a secure connection. The > > > 'back end' conection runs unencrypted so sending on port 25 to the > > > smtp server automatically works. > > > > Yeah, I've figured out that much :). Now, what I'm not sure about is > > how the ssl stuff works. Does the client need to have the certificate > > to connect, or is it like https where the cert is transferred > > automatically? > > That's up to the stunnel config. It doesn't have to require > a client cert. So there are two different types? How do I set it up to where the client must have a client cert to connect? > > If it is automatic, is it more secure because whatever > > is connecting must know to use ssl? > > Normally the 'secure' part involves keeping 3rd parties from > being able to intercept and decipher the traffic. In the Well, yeah, I meant besides that. I'm more worried about someone connecting to the SMTP server than seeing what is transmitted. It's all clear text to my ISP's server anyway. > context of your own mail server you might require ssl and > a login/password authentication to permit mail relaying > instead of a client certificate. The point of ssl would be > mostly to avoid sending the password in clear text. I'd rather not go to the trouble of setting up a whole mail server (at least not now). Is there a way to require a username/password to do the port forwarding stuff (stunnel or xinetd redirect)? > > I've been trying to find > > documentation on setting up stunnel, but am having trouble finding > > useful stuff. Some stuff is on stunnel 3 rather than 4, which is very > > different in setup and use. I have found some things on OpenSSL to > > try to figure out the certificate stuff, but cannot seem to find the > > necessary things on Fedora. OpenSSL is installed according to RPM, > > but I cannot find some things mentioned in the docs I have found. > > Your fedora install should have some things set up in > /usr/share/ssl/certs. If you cd there and enter: > "make stunnel.pem" it should prompt you through building > a server certificate that will be all you need if > you don't require matching client certs. Hmm, no actually there is no /usr/share/ssl/certs/ I decided to go back to man rpm and find the flag to list the files provided by a package (-ql): # rpm -ql openssl /etc/pki/CA /etc/pki/CA/private /etc/pki/tls /etc/pki/tls/cert.pem /etc/pki/tls/certs /etc/pki/tls/certs/Makefile /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/make-dummy-cert /etc/pki/tls/misc /etc/pki/tls/misc/CA /etc/pki/tls/misc/c_hash /etc/pki/tls/misc/c_info /etc/pki/tls/misc/c_issuer /etc/pki/tls/misc/c_name /etc/pki/tls/openssl.cnf /etc/pki/tls/private ... Exactly what I needed to know. I did the "make stunnel.pem" and it seems like Outlook sees the ssl stuff (it complains about the cert (of course) and telling it not to accept it crashes it :)). Now, what else do I need to do to use a client cert? Am I right in thinking that I can set it up to where the cleint must have something (I'm assuming a certificate or some sort) in order to connect to the server? Thanks for your help Les. Jonathan
