As Promised, note that I am not the author of this document, Tim Larson (
http://kepler.covenant.edu/~talarson/ssl/SSL-Email-HOWTO.html) is the creator/author. I have made changes to the stunnel command to work correctly with Secure SMTP, you must use the -n flag to specify the service. If you omit '-n smtp' the secure tunnel will not always work correct for all clients:
--- Begin FAQ from
http://kepler.covenant.edu/~talarson/ssl/SSL-Email-HOWTO.html ----
2. E-Smith 4.1.2
I did this using E-smith 4.1.2. It might work with other versions - I haven't tried. Let me know of your success/failure.
For those not familiar with E-smith, go to
http://www.e-smith.org/. E-smith is a GNU/Linux distribution that is based on RedHat. It provides a simple way to set up a secure firewall, gateway, printer/file sharing (even with Macs), VPN, and more. Simple in that it takes about half an hour to install and configure all of those services (and all you need to know to configure it is it's IP address, hostname, and the like). Once set up, a web interface is used to administer the machine.
2.1 Create a 1024-bit RSA private key and a self-signed SSL certificate
E-smith does not come with make. So you either need to install make and other related tools, or perform this step on another machine that you trust and then put the stunnel.pem file in /usr/share/ssl/certs. Also, make sure that your "common name" is correct - some email clients will balk if the server name listed in the certificate does not match the server's FQDN.
cd /usr/share/ssl/certs
make stunnel.pem
Country Name: US
State Name: Florida
Locality Name: Jacksonville
Organization Name: My Organization
Unit Name: My Department
Common Name:
www.myservername.comEmail address: me@somewhere.com
This will produce a file name stunnel.pem in the current directory (needs to be in /usr/share/ssl/certs/). The stunnel.pem file will automatically be set to permissions of 600. As it has your server's private SSL RSA key in it, you only want root to be able to read the file.
This should work, at least with some mail clients, even if you don't get a certificate authority to sign your certificate. However, if you want the mail clients (such as Netscape Mail) to accept your certificate without asking you to confirm, you need to send the second part of the stunnel.pem file to a CA. The Certificate Authority will sign your certificate (cryptographicaly) and return it to you. You can then replace your unsigned certificate with the signed certificate.
2.2 /etc/services
Create File /etc/e-smith/templates-custom/etc/services/08emailoverSSL with the following:
#
# Email over SSL Services
#
pop3s 995/tcp # POP-3 over SSL
imaps 993/tcp # IMAP over SSL
smtps 465/tcp # SMTP over SSL (TLS)
These lines will soon be appended to the /etc/services file. This will allow settings for many programs to reference "pop3s" and know that it is referring to port 995 using TCP.
2.3 /etc/hosts.allow
Create the file /etc/e-smith/templates-custom/etc/hosts.allow/stunnel with the following:
# Allow imaps, pop3s
imapd : ALL
ipop3d : ALL
smtpd : ALL
These lines will soon be appended to the /etc/hosts.allow file.
Help! Is this the best way to set up the hosts.allow file? I'm not too familiar with hosts.allow, and I don't know if I might be opening up too much here. Am I allowing regular (unencrypted) IMAP sessions with this? If so, how can I prevent it?
2.4 Firewall rules
You will need to open up the appropriate port(s) in the ipchains firewall. Remember:
port 993 (TCP) is assigned to imaps (IMAP Secure)
port 995 (TCP) is assigned to pop3s (POP3 Secure)
port 465 (TCP) is assigned to smtps (SMTP Secure)
The /etc/rc.d/init.d/masq file contains all the firewall rules, so we now want to add our rules to open ports 993, 995, and 465. However, we don't want to edit the file directly, due to the nature of the template files in E-smith. So to work within the template structure, create the file /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/45AllowEmailSSLPorts with the following:
# Allow IMAPS on port 993
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 993 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 993 -j ACCEPT
# Allow POP3S on port 995
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 995 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 995 -j ACCEPT
# Allow SMTPS on port 465
/sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 465 -j ACCEPT
/sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 465 -j ACCEPT
2.5 Rebuild configuration files from templates
/sbin/e-smith/expand-template /etc/services
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/sbin/e-smith/expand-template /etc/hosts.allow
2.6 Restart the ipchains firewall
We now need to put into effect the firewall changes we made above.
/etc/rc.d/init.d/masq restart
2.7 Start stunnel daemons
stunnel is a server daemon that will accept SSL encrypted connections on a given port. It can take any existing service (telnet, http, imap, pop, etc.) and tunnel it through an encrypted SSL connection. stunnel needs to start accepting connections on ports 993/995/465 (imaps/pop3s/smtps, respectively). We will get stunnel to fire up it's own imap/pop3 daemon. We will be starting stunnel from the command line, as this is more efficient than starting it from inetd.conf (see references below).
Run the following commands, and also add these commands to the end of /etc/rc.d/rc.local so that they will be run on reboot.
/usr/sbin/stunnel -d pop3s -l /usr/sbin/ipop3d
/usr/sbin/stunnel -d imaps -l /usr/sbin/imapd
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd -n smtp
13 Replies
3534 Views