LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion
User Name
Password
LinuxAnswers Discussion This forum is to discuss articles posted to LinuxAnswers.

Notices


Reply
  Search this Thread
Old 05-11-2004, 02:00 AM   #16
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Original Poster
Rep: Reputation: 58
The Linux Client and local MTA.


There are several ways to setup a Mail Delivery Agent (MDA) or Mail Transfer Agent (MTA) for your system.

Some Distros default setup may depend on an MTA like postfix running an smtp server for local mail delivery. If this is the case or if you want to be able to run mailservers on your machine and still use a mail client account as this howto does, your would not be able to use the default mailserver ports as the original document explains.

This was only mentioned in the document but I have decided to add this to assist someone wanting to use this other method.

You will be able to run all servers as usual on the machine and will only make changes to the secure client configuration, and email account settings on your email client software.

You will need an interface to use for the local connection, this should be setup using your distros method of configuring interfaces. Here is and example of using an ifup configure script, which seems to be popular on the major distros.

Copy your configure script for the loopback interface to the new interface configure script.

The location of the files vary from one distro to another but you should find them somewhere under /etc/sysconfig/

Code:
cp /etc/sysconfig/network-scripts/ifcfg-lo /etc/sysconfig/network-scripts/ifcfg-lo:1

Changes to this files contents would include the ip address and device name if it has one. Or any other options that contain lo would be changed to lo:1.

If you use the NAME= option then choose something other than localhost.

Code:
david@zeus:~> cat /etc/sysconfig/network/ifcfg-lo:1
# Loopback (lo:1) configuration
DEVICE=lo:1
IPADDR=127.0.0.2
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
STARTMODE=onboot
If you use this method everything should be ok at boot, the result is seen with ifconfig.


Code:
david@zeus:~> /sbin/ifconfig lo

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2258 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2258 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:146164 (142.7 Kb)  TX bytes:146164 (142.7 Kb)
 
david@zeus:~> /sbin/ifconfig lo:1

lo:1      Link encap:Local Loopback
          inet addr:127.0.0.2  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1


Note that the lo interface must be up for the lo:1 interface to be present for configuration.



If you use an rc.inet script or some other method to bring up the lo interface add the lo:1 interface to the configuration.

Another way is to use rc.local adding the ifconfig command at boot.

Code:
ifconfig lo:1 127.0.0.2


Now that the interface is setup the stunnel config file needs to be setup to make the local connection available on the lo:1 interface.


Code:
zeus:~ # cat /etc/stunnel/stunnel.conf
client = yes
debug = debug
cert = /etc/ssl/private/www.pem
[pop3s]
accept = 127.0.0.2:110
connect = mail.dcphillips.net:995
[imaps]
accept = 127.0.0.2:143
delay = yes
connect = mail.dcphillips.net:993
[smtps]
accept = 127.0.0.2:25
connect = mail.dcphillips.net:465
stunnel will need a restart to complete the changes.

Depending on your firewall settings you may need to add the new interface, although it's not likely that you would be firewalling the 127.0.0.0 network.

Now the servername on your email client software will need to be changed for the account so that the server is 127.0.0.2 instead of localhost or 127.0.0.1.

This example frees up the local pop3, imap, and smtp ports so you could use them for servers. You may only need to use one or more of the ports on your system. Setup your config file for your needs.


Enjoy!


Last edited by DavidPhillips; 05-31-2004 at 01:42 PM.
 
Old 06-06-2004, 03:14 PM   #17
kntgtaid
LQ Newbie
 
Registered: Jul 2003
Distribution: Slackware 9.0
Posts: 17

Rep: Reputation: 0
delete this message moderator

Last edited by kntgtaid; 06-06-2004 at 09:00 PM.
 
Old 06-07-2004, 12:56 AM   #18
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Original Poster
Rep: Reputation: 58
It was a valid question..

We cannot delete posts.



If you have inetd instead of xinetd the inetd.conf file uses one line command strings to start the servers.

Code:
imaps stream tcp nowait root /usr/sbin/stunnel -v3 -l/usr/sbin/imapd
pop3s stream tcp nowait root /usr/sbin/stunnel -v3 -l/usr/sbin/ipop3d
smtps stream tcp nowait root /usr/sbin/stunnel -v3 -rlocalhost:25
 
Old 07-29-2004, 07:22 PM   #19
mongoose4
LQ Newbie
 
Registered: Jul 2004
Location: Provo, UT
Distribution: Red Hat 8/9
Posts: 2

Rep: Reputation: 0
client certs/myserver.pem?

when I run
# stunnel -l /etc/stunnel/myserver.conf
I get the error in my client's secure log file
"/usr/share/ssl/certs/stunnel.pem: No such file or directory (2) "
and stunnel is not running

There is clearly a file /usr/share/ssl/certs/stunnel.pem on my server, but there is not one on my client.
The client one is in /usr/share/ssl/private/myserver.pem, like the HOWTO said. Should I put one in the other location?

Thanks,

Brad
 
Old 07-30-2004, 12:37 PM   #20
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Original Poster
Rep: Reputation: 58
Yes,

you need the files that you are trying to load from the config file on the machine.
 
Old 07-30-2004, 12:46 PM   #21
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Original Poster
Rep: Reputation: 58
Quote:
According to the Article, one should setup stunnel and ssl on the client, too, to connect to e.g. a secure smtp server.

Fortunately, it is not so. I tested the setup and found that the mail client of Mozilla 1.5 can perfecly use the smtps server even if you do not have stunnel on the client! In my case I had a https server with client-server authentication using stunnel on the server, and, based on that setup, it took me not more than a minute to setup the new, smtps service.
Generally this is true, however the way the server is setup in this example you would need a method of connecting via the client certificate. It seems that it is not used in your case. Therefore the system is open for connections without a certificate.

Some mail clients would use a certificate. To avoid differences in the way a client uses certificates, as well as the types of certificates that would be needed. This method is used for all clients, even if they do not support certificates.

Last edited by DavidPhillips; 07-30-2004 at 12:50 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DISCUSSION: DHCP Server Howto SiegeX LinuxAnswers Discussion 30 12-10-2006 10:40 PM
Email Server for remote users, can it be secure? javiergt Linux - Software 2 02-04-2005 10:44 AM
Secure Mail Server Setup djkene70 Linux - Networking 3 10-14-2003 02:29 PM
relaying to email server depaul Linux - Software 3 07-18-2003 03:12 PM
Secure Web Server HowTo from SuSE mcleodnine Linux - Security 0 08-02-2001 10:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion

All times are GMT -5. The time now is 07:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration