Stunnel
From Indie IT Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.
The following example is for a Gentoo installation.
Generate Keys
su - root cd mkdir stunnel-keys cd stunnel-keys openssl genrsa -des3 -out sec-email-co.skey 1024 openssl rsa -in sec-email-co.skey -out sec-email-co.key openssl req -new -key sec-email-co.key -out mydomain.csr
Send Off Keys For Approval
Email secure email company using stunnel copy of mydomain.csr (Certificate Signing Request)
Install Software
emerge stunnel
Configure Software
cd /etc/stunnel/ cp -av stunnel.conf stunnel.conf.dist > stunnel.conf nano stunnel.conf ##################################################################### # # sec-email-co Stunnel configuration file # ##################################################################### pid = /var/run/stunnel/stunnel.pid CAfile = /etc/stunnel/certs/ca.crt cert = /etc/stunnel/certs/sec-email-co.pem key = /etc/stunnel/certs/sec-email-co.key verify = 1 service = stunnel output = /var/log/sec-email-co_stunnel.log debug = 7 [cjsm-outbound] accept = 127.0.100.1:25 client = yes connect = smtp.sec-email-co.net:25 protocol = smtp sslVersion = TLSv1 [cjsm-inbound] client = no accept = 10.0.0.2:4545 connect = 192.168.0.200:25 protocol = smtp ##########################################################
Copy Keys To Software
mkdir /etc/stunnel/certs cp -av /root/stunnel-keys/sec-email-co* /etc/stunnel/certs/ cp -av /root/stunnel-keys/mydomain.csr /etc/stunnel/certs/
Copy Secure Email Company Certificate Authority Key (you will have been sent this after sending yours first) to same directory
cp -av /root/stunnel-keys/CA /etc/stunnel/certs/ca.crt
Create Log File
touch /var/log/secure-email-co_stunnel.log chown stunnel /var/log/secure-email-co_stunnel.log chgrp stunnel /var/log/secure-email-co_stunnel.log
Add Software To Startup
rc-update add stunnel default
Start The Stunnel Software
/etc/init.d/stunnel start
Check Software Running
netstat -ntap |grep 25 tcp 0 0 127.0.100.1:25 0.0.0.0:* LISTEN 8949/stunnel tcp 0 0 192.168.0.200:25 0.0.0.0:* LISTEN 6646/sendmail: acce tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6646/sendmail: acce
ping 127.0.100.1 PING 127.0.100.1 (127.0.100.1) 56(84) bytes of data. 64 bytes from 127.0.100.1: icmp_seq=1 ttl=64 time=0.045 ms 64 bytes from 127.0.100.1: icmp_seq=2 ttl=64 time=0.051 ms 64 bytes from 127.0.100.1: icmp_seq=3 ttl=64 time=0.054 ms
telnet 127.0.100.1 25 Trying 127.0.100.1... Connected to 127.0.100.1. Escape character is '^]'. 220 smtp.secure-email-co.net (2) ESMTP EHLO test 250-smtp.secure-email-co.net Hello test [123.456.789] 250-SIZE 15728640 250-DSN 250-PIPELINING 250-AUTH PLAIN LOGIN 250 HELP mail from:<test@mydomain.com> 250 OK rcpt to:<richard@secure-email-co.theirdomain.net> 250 Accepted data 354 Enter message, ending with "." on a line by itself hello richard . 250 OK id=1OBTXx-0007o7-9f ^] telnet> quit Connection closed.
tail /var/log/stunnel.log 2010.11.11 16:10:23 LOG6[8949:1073809744]: SSL connected: new session negotiated 2010.11.11 16:10:23 LOG6[8949:1073809744]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2010.11.11 16:10:31 LOG7[8949:1073809744]: Socket closed on read 2010.11.11 16:10:31 LOG7[8949:1073809744]: SSL write shutdown 2010.11.11 16:10:31 LOG7[8949:1073809744]: SSL alert (write): warning: close notify 2010.11.11 16:10:31 LOG6[8949:1073809744]: SSL socket closed on SSL_shutdown 2010.11.11 16:10:31 LOG7[8949:1073809744]: Socket write shutdown 2010.11.11 16:10:31 LOG5[8949:1073809744]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket 2010.11.11 16:10:31 LOG7[8949:1073809744]: secure-email-co-outbound finished (0 left)
