smtps

[gato]

My smtps.

Install stunnel-4.04 by ports.
It is at /usr/ports/security/stunnel.

make /usr/local/etc/stunnel/stunnel.conf.

Quote:

cert = /usr/local/etc/stunnel/servercert.pem    chroot = /var/tmp/stunnel    pid = /stunnel.pid    setuid = stunnel    setgid = stunnel    #CAfile = /usr/local/etc/stunnel/certs.pem    #If you have certs.pem, uncomment this line.    debug = 5    output = /var/log/stunnel.log    client = no    [ssmtp]    accept  = my_host_name:465    connect = my_host_name:25

mv /usr/local/etc/rc.d/stunnel.sh.sample /usr/local/etc/rc.d/stunnel.sh
cp /var/qmail/control/servercert.pem /usr/local/etc/stunnel
chown stunnel:stunnel /usr/local/etc/stunnel/servercert.pem

It's very easy.

--
mailto:gato@intaa.net" target="_blank">gato@intaa.net




I cannot post mail-toaster mailinglist. Why?
ezmlm-reject: fatal: List address must be in To: or Cc: (#5.7.0)

[gato]

mkdir /var/tmp/stunnel
chown stunnel:stunnel /var/tmp/stunnel

[matt]

Folks, be VERY careful about using stunnel on your mail servers. It has consequences that you may not think about.

Say, for example you used stunnel for both SMTP and POP3.  Let's say that you are also using POP before SMTP authentication. A user connections via POP3-SSL and authenticates. Stunnel accepts the SSL connection and then spawns a new connection to the real POP3 port on the local server. Only problem is, now the REMOTEIP is the IP of the stunnel server (127.0.0.1), not the remote mail client.

You have now granted localhost relay permission. No big deal right?  Wrong, because you've done the same for SMTP. Now, any client that connects via SMTPS will have their connection redirected and qmail-smtpd will see a REMOTEIP of 127.0.0.1, no matter what the original IP they connect from is. Thus, you now have an open relay.

The Mail::Toaster already has TLS encryption as part of the smtp daemon. It's enabled by default. Really. There's nothing else you have to do. If you also want a SMTP daemon listening on port 465 (the smtps port), copy the smtp service, modify the port from "smtp" to "smtps" and run it as well.

Be safe,
Matt

[gato]

That's right. Using by pop before smtp is dangerous.
OK.
How is next it?

cp -pR /var/qmail/supervise/smtp /var/qmail/supervise/smtps
ln -s /var/qmail/supervise/smtps /var/service/smtps

Edit /var/qmail/supervise/smtps/run file.

#!/bin/sh
PATH=/var/qmail/bin:/usr/local/vpopmail/bin:/usr/local/bin:/usr/bin:/bin
export PATH
SMTPSPORT=465
export SMTPSPORT
TLS_CERTFILE="/var/qmail/control/servercert.pem"
export TLS_CERTFILE
TLS_PROTOCOL=SSL3
export TLS_PROTOCOL
TLS_STARTTLS_PROTOCOL=TLS1
export TLS_STARTTLS_PROTOCOL
TLS_VERIFYPEER=NONE
export TLS_VERIFYPEER
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
export QMAILQUEUE

if [ ! -f /var/qmail/control/rcpthosts ]; then
       echo "No /var/qmail/control/rcpthosts!"
       echo "Refusing to start SMTP listener because it'll create an open relay
"
       exit 1
fi
exec softlimit -m 40960000 tcpserver -S -R -p -c25 \
       -x /usr/local/vpopmail/etc/tcp.smtp.cdb -u 89 -g 89 0 smtps \
       /usr/local/bin/couriertls -server -tcpd qmail-smtpd

your.toaster.host \
       /usr/local/vpopmail/bin/vchkpw /usr/bin/true 2>&1[/list:u]

Edit /var/qmail/supervise/smtps/log/run

#!/bin/sh

PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
export PATH

exec setuidgid qmaill multilog t !./smtplog s100000 /var/log/mail/smtps[/list:u]

Point! "couriertls"

[jostreff]

Hi All,
this doesn't work with
openssl-0.9.8g, courier-imap-4.3.0_1,2, vpopmail-5.4.26
I see in my debug log:
DEBUG: Unexpected SSL connection shutdown, and I see if I manualy start couriertls that SSL version wasn't negotiated.

Please any help is welcome

[matt]

My solution is a bit simpler.

# services stop
# cd /var/qmail/supervise && cp -r smtp smtps
# vi smtps/run

add export SMTPS=1 to the run file after the export $PATH line.