Stunnel

From Indie IT Wiki
Jump to: navigation, search

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.

The following example is for a Gentoo installation.

Generate Keys

su - root
cd
mkdir stunnel-keys
cd stunnel-keys
openssl genrsa -des3 -out sec-email-co.skey 1024
openssl rsa -in sec-email-co.skey -out sec-email-co.key
openssl req -new -key sec-email-co.key -out mydomain.csr

Send Off Keys For Approval

Email secure email company using stunnel copy of mydomain.csr (Certificate Signing Request)

Install Software

emerge stunnel

Configure Software

cd /etc/stunnel/
cp -av stunnel.conf stunnel.conf.dist
> stunnel.conf
nano stunnel.conf

#####################################################################
#
# sec-email-co Stunnel configuration file
#
#####################################################################
pid = /var/run/stunnel/stunnel.pid
CAfile = /etc/stunnel/certs/ca.crt
cert = /etc/stunnel/certs/sec-email-co.pem
key = /etc/stunnel/certs/sec-email-co.key
verify = 1
service = stunnel
output = /var/log/sec-email-co_stunnel.log
debug = 7
[cjsm-outbound]
accept = 127.0.100.1:25
client = yes
connect = smtp.sec-email-co.net:25
protocol = smtp
sslVersion = TLSv1
[cjsm-inbound]
client = no
accept = 10.0.0.2:4545
connect = 192.168.0.200:25
protocol = smtp
##########################################################

Copy Keys To Software

mkdir /etc/stunnel/certs
cp -av /root/stunnel-keys/sec-email-co* /etc/stunnel/certs/
cp -av /root/stunnel-keys/mydomain.csr /etc/stunnel/certs/

Copy Secure Email Company Certificate Authority Key (you will have been sent this after sending yours first) to same directory

cp -av /root/stunnel-keys/CA /etc/stunnel/certs/ca.crt

Create Log File

touch /var/log/secure-email-co_stunnel.log
chown stunnel /var/log/secure-email-co_stunnel.log
chgrp stunnel /var/log/secure-email-co_stunnel.log

Add Software To Startup

rc-update add stunnel default

Start The Stunnel Software

/etc/init.d/stunnel start

Check Software Running

netstat -ntap |grep 25

tcp        0      0 127.0.100.1:25          0.0.0.0:*               LISTEN      8949/stunnel        
tcp        0      0 192.168.0.200:25        0.0.0.0:*               LISTEN      6646/sendmail: acce 
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      6646/sendmail: acce 
ping 127.0.100.1

PING 127.0.100.1 (127.0.100.1) 56(84) bytes of data.
64 bytes from 127.0.100.1: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 127.0.100.1: icmp_seq=2 ttl=64 time=0.051 ms
64 bytes from 127.0.100.1: icmp_seq=3 ttl=64 time=0.054 ms
telnet 127.0.100.1 25

Trying 127.0.100.1...
Connected to 127.0.100.1.
Escape character is '^]'.
220 smtp.secure-email-co.net (2) ESMTP
EHLO test
250-smtp.secure-email-co.net Hello test [123.456.789]
250-SIZE 15728640
250-DSN
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
mail from:<test@mydomain.com>
250 OK
rcpt to:<richard@secure-email-co.theirdomain.net>
250 Accepted
data 
354 Enter message, ending with "." on a line by itself
hello richard
.
250 OK id=1OBTXx-0007o7-9f
^]
telnet> quit
Connection closed.
tail /var/log/stunnel.log

2010.11.11 16:10:23 LOG6[8949:1073809744]: SSL connected: new session negotiated
2010.11.11 16:10:23 LOG6[8949:1073809744]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2010.11.11 16:10:31 LOG7[8949:1073809744]: Socket closed on read
2010.11.11 16:10:31 LOG7[8949:1073809744]: SSL write shutdown
2010.11.11 16:10:31 LOG7[8949:1073809744]: SSL alert (write): warning: close notify
2010.11.11 16:10:31 LOG6[8949:1073809744]: SSL socket closed on SSL_shutdown
2010.11.11 16:10:31 LOG7[8949:1073809744]: Socket write shutdown
2010.11.11 16:10:31 LOG5[8949:1073809744]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2010.11.11 16:10:31 LOG7[8949:1073809744]: secure-email-co-outbound finished (0 left)