stunnel, OpenSSL, certificates, etc. [was: SMTP server or "forwarding"?]

Jonathan Berry berryja at gmail.com
Tue Aug 30 03:22:32 UTC 2005 

On 8/28/05, Les Mikesell <lesmikesell at gmail.com> wrote:
> On Sat, 2005-08-27 at 17:57, Jonathan Berry wrote:
> > > 'fixed client at another location' case you may be able to
> > > send though a local smtp server.  The roaming on is a
> >
> > That would be ideal, but I do not know if such a server is available.
> 
> Chances are pretty good that one is there.  Or, you could use

I don't know about this.  Even if one is there, I have no idea where
it is.  Is there a way to find a server that might be there but I
don't know about?

[snip]
> > > I wouldn't recommend it.  A better alternative would be to
> > > use 'stunnel' to accept ssl connections with a client certificate
> >
> > This sounds interesting too.  I like the idea of having some auth that
> > would be simple to setup.  I guess I'll do some reading up on stunnel
> > and see if I can get that working.  Anyone have any experience with
> > stunnel?
> 
> Stunnel works very much like the xinetd proxy, but the connecting side
> runs over ssl.  The client side of this is built into many email
> programs that know how to use port 465 for a secure connection.  The
> 'back end' conection runs unencrypted so sending on port 25 to the
> smtp server automatically works.

Yeah, I've figured out that much :).  Now, what I'm not sure about is
how the ssl stuff works.  Does the client need to have the certificate
to connect, or is it like https where the cert is transferred
automatically?  If it is automatic, is it more secure because whatever
is connecting must know to use ssl?  I've been trying to find
documentation on setting up stunnel, but am having trouble finding
useful stuff.  Some stuff is on stunnel 3 rather than 4, which is very
different in setup and use.  I have found some things on OpenSSL to
try to figure out the certificate stuff, but cannot seem to find the
necessary things on Fedora.  OpenSSL is installed according to RPM,
but I cannot find some things mentioned in the docs I have found.

# rpm -qa | grep ssl
openssl-devel-0.9.7f-7
mod_ssl-2.0.54-10.1
openssl-0.9.7f-7

This HOWTO looks pretty good, though I've only started reading it:
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html

But as an example of not finding things, this part:
http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x120.html
mentions /etc/openssl.cnf which I don't have, and CA.pl, which I also
don't seem to have.  Is there something more I need to install?  Doing
a 'yum list "*ssl*"' shows there is an openssl.i386 package in
addition to the i686 one I have installed.  Is that just for < 686
CPUs and the 686 package takes advantage of some 686 instructions? 
Would I get anything else by installing from source?  Can anyone offer
some help with this?

> > > required and forward t o your isp, or run your own mail server
> > > with ssl on port 465 or port 587 with TLS and require authenticated
> > > logins for SMTP forwarding.  Most current mail clients support
> >
> > Might as well use Gmail if I'm to go that far.  Less to have to keep track of.
> 
> It does seem like the easiest solution.

But not nearly as much fun ;).

Thanks,
Jonathan

More information about the fedora-list mailing list