DISCUSSION: HOWTO Setup a Secure Relaying Email Server

DavidPhillips · 09-21-2003, 09:25 PM

This thread is to discuss the article titled: HOWTO Setup a Secure Relaying Email Server

lenlutz · 10-02-2003, 12:35 PM

i followed this, as closely as i was able, but, had a few problems:

when i ran /bin/netstat -tp
i got nothing like what was shown

when i ran /usr/sbin/stunnel /etc/stunnel/myserver.conf
i got

Either -r, -l (or -L) option must be used

Try 'stunnel -h' for more information.

ive been really tryiing to get this to work...
using redhat 8.0

any help, is greatly apprciated... im not a newbie to unix, and
not all that new to linux, though i sure am haing some mail problems....

DavidPhillips · 10-05-2003, 11:41 AM

what do you get when running netstat on the server?

The -t is a filter to show only tcp, -p displays the pid of the program with the connection.

you could try netstat -lp

Code:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:imaps                 *:*                     LISTEN      1117/xinetd

stunnel needs the -r or -l as used on the server to tell it how to connect. The config file contains the needed information. Be sure that the config file is correct and that the user running stunnel can access it.

I run stunnel as root

Code:

ls -l /etc/stunnel
total 4
-rw-------    1 root     root         278 Oct  5 11:14 www.conf

Code:

cat /etc/stunnel/www.conf

client = yes
debug = debug
cert = /usr/share/ssl/private/www.pem
[pop3s]
accept = localhost:110
connect = mail.dcphillips.net:995
[imaps]
accept = localhost:143
delay = yes
connect = mail.dcphillips.net:993
[smtps]
accept = localhost:25
connect =mail.dcphillips.net:465

your logs should tell you if stunnel has a problem starting, check /var/log/messages for more info on the problem.

linuxnube · 10-27-2003, 08:21 PM

As for the windows client goes, how does this work with antivirus software that is also intercepting mail sent from the client on localhost, in order to scan outgoing mail for viruses?

-KS

DavidPhillips · 10-27-2003, 09:22 PM

No problem as far as I have tested.

I have "Norton AV 2002" set to scan email, I also have it set to display a progress indicator when I send mail. The progress screen comes up and shows the scan as expected.

I would expect other scanners to work as expected also.

linuxnube · 11-04-2003, 02:13 PM

DavidPhillips · 11-04-2003, 04:08 PM

yes linuxnube it will work. the .dll files for openssl are found at stunnel.org in the download area, that's all you need on the client unless you intend to create certificates on the client. Then you would need to install openssl.

romel · 12-15-2003, 01:37 PM

Can I setup "exim 4" mail server at "debian gnu linux 3.0" by following these instructions....I want to setp a secure mail server at debian and also a scanner for it's incoming and outgoing email....

DavidPhillips · 12-15-2003, 06:02 PM

This document covers setting up a secure tunnel to transfer mail over. You can use it to secure any mailserver you wish.

It does not cover mailserver installation or configuration.

romel · 12-16-2003, 02:12 PM

thanks...Now I understand...

J_Szucs · 01-01-2004, 01:22 PM

According to the Article, one should setup stunnel and ssl on the client, too, to connect to e.g. a secure smtp server.

Fortunately, it is not so. I tested the setup and found that the mail client of Mozilla 1.5 can perfecly use the smtps server even if you do not have stunnel on the client! In my case I had a https server with client-server authentication using stunnel on the server, and, based on that setup, it took me not more than a minute to setup the new, smtps service.

Stunnel and Mozilla rock!

Thanks for the tip!

DavidPhillips · 01-01-2004, 03:02 PM

Yes, that's true if your client supports it directly you can input the server instead of localhost. It does sound like your not using client certificate auth on the server if this works without using the client certificate. That's the difference.

Also not all clients will support it, so If yours does not you can do it with stunnel and ssl. If it does the choice is yours to decide.

DavidPhillips · 04-02-2004, 02:37 AM

As a side note..

Normal smtp mailserver setup was not covered here, but be sure your port 25 is open on your firewall for incoming email.

kenoichi · 04-09-2004, 05:28 PM

what affero button?

DavidPhillips · 04-09-2004, 06:07 PM

The one that says ( * affero ) on it!