DISCUSSION: HOWTO Setup a Secure Relaying Email Server

DavidPhillips · 05-11-2004, 01:00 AM

There are several ways to setup a Mail Delivery Agent (MDA) or Mail Transfer Agent (MTA) for your system.

Some Distros default setup may depend on an MTA like postfix running an smtp server for local mail delivery. If this is the case or if you want to be able to run mailservers on your machine and still use a mail client account as this howto does, your would not be able to use the default mailserver ports as the original document explains.

This was only mentioned in the document but I have decided to add this to assist someone wanting to use this other method.

You will be able to run all servers as usual on the machine and will only make changes to the secure client configuration, and email account settings on your email client software.

You will need an interface to use for the local connection, this should be setup using your distros method of configuring interfaces. Here is and example of using an ifup configure script, which seems to be popular on the major distros.

Copy your configure script for the loopback interface to the new interface configure script.

The location of the files vary from one distro to another but you should find them somewhere under /etc/sysconfig/

Code:

cp /etc/sysconfig/network-scripts/ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo:1

Changes to this files contents would include the ip address and device name if it has one. Or any other options that contain lo would be changed to lo:1.

If you use the NAME= option then choose something other than localhost.

Code:

david@zeus:~> cat /etc/sysconfig/network/ifcfg-lo:1
# Loopback (lo:1) configuration
DEVICE=lo:1
IPADDR=127.0.0.2
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
STARTMODE=onboot

If you use this method everything should be ok at boot, the result is seen with ifconfig.

Code:

david@zeus:~> /sbin/ifconfig lo

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2258 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2258 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:146164 (142.7 Kb)  TX bytes:146164 (142.7 Kb)
 
david@zeus:~> /sbin/ifconfig lo:1

lo:1      Link encap:Local Loopback
          inet addr:127.0.0.2  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

Note that the lo interface must be up for the lo:1 interface to be present for configuration.

If you use an rc.inet script or some other method to bring up the lo interface add the lo:1 interface to the configuration.

Another way is to use rc.local adding the ifconfig command at boot.

Code:

ifconfig lo:1 127.0.0.2

Now that the interface is setup the stunnel config file needs to be setup to make the local connection available on the lo:1 interface.

Code:

zeus:~ # cat /etc/stunnel/stunnel.conf
client = yes
debug = debug
cert = /etc/ssl/private/www.pem
[pop3s]
accept = 127.0.0.2:110
connect = mail.dcphillips.net:995
[imaps]
accept = 127.0.0.2:143
delay = yes
connect = mail.dcphillips.net:993
[smtps]
accept = 127.0.0.2:25
connect = mail.dcphillips.net:465

stunnel will need a restart to complete the changes.

Depending on your firewall settings you may need to add the new interface, although it's not likely that you would be firewalling the 127.0.0.0 network.

Now the servername on your email client software will need to be changed for the account so that the server is 127.0.0.2 instead of localhost or 127.0.0.1.

This example frees up the local pop3, imap, and smtp ports so you could use them for servers. You may only need to use one or more of the ports on your system. Setup your config file for your needs.

Enjoy!

kntgtaid · 06-06-2004, 02:14 PM

delete this message moderator

DavidPhillips · 06-06-2004, 11:56 PM

It was a valid question..

We cannot delete posts.

If you have inetd instead of xinetd the inetd.conf file uses one line command strings to start the servers.

Code:

imaps stream tcp nowait root /usr/sbin/stunnel -v3 -l/usr/sbin/imapd
pop3s stream tcp nowait root /usr/sbin/stunnel -v3 -l/usr/sbin/ipop3d
smtps stream tcp nowait root /usr/sbin/stunnel -v3 -rlocalhost:25

mongoose4 · 07-29-2004, 06:22 PM

when I run
# stunnel -l /etc/stunnel/myserver.conf
I get the error in my client's secure log file
"/usr/share/ssl/certs/stunnel.pem: No such file or directory (2) "
and stunnel is not running

There is clearly a file /usr/share/ssl/certs/stunnel.pem on my server, but there is not one on my client.
The client one is in /usr/share/ssl/private/myserver.pem, like the HOWTO said. Should I put one in the other location?

Thanks,

Brad

DavidPhillips · 07-30-2004, 11:37 AM

Yes,

you need the files that you are trying to load from the config file on the machine.

DavidPhillips · 07-30-2004, 11:46 AM

Quote:

According to the Article, one should setup stunnel and ssl on the client, too, to connect to e.g. a secure smtp server.

Fortunately, it is not so. I tested the setup and found that the mail client of Mozilla 1.5 can perfecly use the smtps server even if you do not have stunnel on the client! In my case I had a https server with client-server authentication using stunnel on the server, and, based on that setup, it took me not more than a minute to setup the new, smtps service.

Generally this is true, however the way the server is setup in this example you would need a method of connecting via the client certificate. It seems that it is not used in your case. Therefore the system is open for connections without a certificate.

Some mail clients would use a certificate. To avoid differences in the way a client uses certificates, as well as the types of certificates that would be needed. This method is used for all clients, even if they do not support certificates.