SSL Pop3

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
chow
New user
New user
Posts: 18
Joined: 2004-02-04 18:59

SSL via stunnel

Post by chow » 2004-03-09 04:47

http://www.vajri.com/ftp/

stunnel.zip
openssl-0.9.7c.tar.gz


Install openssl if you need to create the private key and public certificate. If you already have a certificated and key (make a .pem file with the key first, a blank line, then then cert and a blank line), then just unzip the stunnel.zip file, and edit the conf file as desired.

After that:

stunnel -install

with install it as an windows service.

Horas

Post by Horas » 2004-08-15 21:34

I was succesful configuring stunnell myself but I use an other config-file:

cert= signed cert file
key=unencrypted key
ciphers=DES-CBC3-SHA:IDEA-CBC-MD5

[SECURE_IMAP]
accept=993
connect=143

[SECURE_POP3]
accept=995
connect=110

[SECURE_SMTP]
accept=465
connect=25

works at least with pop3.

I did not create this special stunnel-certificate with private kay and certificate (that just did'nt work), I just used the private rsa-key I created with OpenSSL (NOT the CA-key!)in one file (reffered to in the key parameter) and the certificate, which is signed by the CA.

I don't if this is the optimal configuration or if it is realy secure, I'm still trying to figure out how to configure everything correctly - but perhaps it may help some people.

better confiig-file infos of stunnel: http://www.stunnel.org/faq/stunnel.html

(after reading lots of openssl documentations, the style of the man page is quiite familiar for me ^^)

Feel free to contact me if you have suggestions, better configurations or questions (though I might nopt be able to answer them!)

hmail_ssl.20.horas@spamgourmet.com

Demoric
New user
New user
Posts: 14
Joined: 2005-03-19 06:55

Post by Demoric » 2005-04-20 22:31

I'm trying to do the ssl pop3/imap/smtp, but clients can't seem to connect.

I've opened addtional ports on my fiewall, and router I'm thinking it's a misconfiguration, if you have any suggestions they'd be appreciated.

Here's my stunnel.conf file.

Code: Select all

CApath = C:/apache2triad/opssl/cert/
CAfile = certificate.crt
cert = C:/apache2triad/opssl/cert/certificate.crt
key = C:/apache2triad/opssl/cert/privkey.pem
RNDfile = C:/apache2triad/opssl/cert/stunnel.rnd
output = C:/apache2triad/opssl/cert/stunnel.log
ciphers = DES-CBC3-SHA:IDEA-CBC-MD5
service = HmailStunnel
debug = 7
;taskbar = no
;accept = [host:]port

[SECURE_IMAP]
accept=993
connect=143

[SECURE_POP3]
accept=995
connect=110

[SECURE_SMTP]
accept=465
connect=25 

Duffin444
Normal user
Normal user
Posts: 58
Joined: 2004-11-11 20:28
Contact:

Post by Duffin444 » 2005-04-20 23:08

Have you guys had a chance to poke around with sslexplorer? Might be worth checking out, I use it all the time, though not for mail.

-Duffin

JasonMcFeetors
New user
New user
Posts: 4
Joined: 2005-06-23 20:46

Re: SSL via stunnel

Post by JasonMcFeetors » 2005-06-29 21:48

chow wrote:http://www.vajri.com/ftp/

stunnel.zip
openssl-0.9.7c.tar.gz


Install openssl if you need to create the private key and public certificate. If you already have a certificated and key (make a .pem file with the key first, a blank line, then then cert and a blank line), then just unzip the stunnel.zip file, and edit the conf file as desired.

After that:

stunnel -install

with install it as an windows service.
Chow,

Any chance that you would be willing to write a tutorial on how to do this? I hate to beg but I will! :wink:

Jason

benn600
Senior user
Senior user
Posts: 283
Joined: 2006-03-04 03:25

Post by benn600 » 2006-03-04 03:28

I just setup Stunnel and have got the SSL tunneling working great except Thunderbird keeps reporting an expired certificate. I've tried OpenSSL but I have no idea how to get a .pem file out of this program? I am not familiar with the program or SSL in general. Thanks!

theTerran
Senior user
Senior user
Posts: 287
Joined: 2004-06-22 18:07
Location: Florida

Post by theTerran » 2006-03-07 03:04

Are you creating a root cert or "user" cert? You can use the following commands with OpenSSL...

root certificate:

Code: Select all

$ cd /etc/ssl/CA/CA-DB
$ openssl req -new -x509 -days 365 -keyout private/cakey.pem -out cacert.pem
"user" cert:

Code: Select all

$ cd /etc/ssl/CA
$ openssl req -new -keyout nameofkey.pem -out nameofcert-req.pem
For either instance, enter info like your PEM pass phrase and Distinguished Name details when prompted.

...of course, I always recommend learning about what you're doing before you blindly follow some unreferenced commands off some forum! :roll:
Daniel
Terran Enterprises LLC

theTerran
Senior user
Senior user
Posts: 287
Joined: 2004-06-22 18:07
Location: Florida

Post by theTerran » 2006-03-07 03:06

Oh yes -- you will also need to sign your certificate once created.

Code: Select all

$ openssl ca -out dmanncert.pem -infiles dmanncert-req.pem
See what I mean about following blindly? There's lots I'm sure I haven't thought of just because it has been a while since I set up my certificate server and issued a few certs.
Daniel
Terran Enterprises LLC

benn600
Senior user
Senior user
Posts: 283
Joined: 2006-03-04 03:25

Post by benn600 » 2006-03-09 20:28

The problem I have is that I don't know where I can enter those commands in. Should I use the command prompt in Windows XP? I don't think it would work...?

theTerran
Senior user
Senior user
Posts: 287
Joined: 2004-06-22 18:07
Location: Florida

Post by theTerran » 2006-03-09 21:04

Alas, this is yet another example of how hard it can be to help someone in another environment. There are so many variables to consider!

We run multiple operating systems in our shop, and have OpenSSL running on OpenBSD. That's why you see the "$" prompt at the beginning of each line -- this is the standard command prompt for a non-root user on OpenBSD. So, if you are running on Windows, you will need to reinterpret the command "cd /etc/ssl/CA/CA-DB", which simply changes to the CA-DB (Certificate Authority DataBase) directory.

Does OpenSSL run on Windows? I'm not sure... If so, then you would likely use the same or equivalent commands to generate and sign certificates in your Windows environment. Generating a certificate request can be done on pretty much any machine with OpenSSL; signing the certificate must be done on the certificate authority, or CA.

You know, I'm really not the right person to teach you about SSL. My initial response was prompted by your comment/question
benn600 wrote:I've tried OpenSSL but I have no idea how to get a .pem file out of this program?
...in response to which I offered exactly that: how to get a .pem file out of OpeSSL! Any further instruction is not only outside of the scope of this forum, but also outside what I can suggest without knowing your environment a lot better.

At this point you may wish to take your questions on SSL to a better resource: the openssl-users mailing list, whose archives and subscription information can be found on the OpenSSL Support page.

Good luck, and I hope you get everything working! If you do and want to contribute back, a HowTo in the appropriate forum here would probably be aprpeciated by other users.

Regards,
Daniel
Terran Enterprises LLC

ldsandon
New user
New user
Posts: 22
Joined: 2006-04-03 11:24

Post by ldsandon » 2006-04-03 11:41

benn600 wrote:The problem I have is that I don't know where I can enter those commands in. Should I use the command prompt in Windows XP? I don't think it would work...?
Yes, you have to do it at the command prompt. Why shouldn't it work? Most programs ported from *nix system require to use a command line interface.

neoform
New user
New user
Posts: 9
Joined: 2006-07-09 07:33

Post by neoform » 2006-08-10 21:30

I seem to have it working, however for whatever reason, in Thunderbird i don't see the cert being stored (even though i'm connected using SSL)..

isn't it standard for thunderbird to download the server's cert?

Post Reply