Stunnel
From Indie IT Wiki
Revision as of 14:57, 20 September 2015 by imported>Indieit
Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.
The following example is for a Gentoo installation.
Generate Keys
su - root cd mkdir stunnel-keys cd stunnel-keys openssl genrsa -des3 -out sec-email-co.skey 1024 openssl rsa -in sec-email-co.skey -out sec-email-co.key openssl req -new -key sec-email-co.key -out mydomain.csr
Send Off Keys For Approval
Email secure email company using stunnel copy of mydomain.csr (Certificate Signing Request)
Install Software
emerge stunnel
Configure Software
cd /etc/stunnel/ cp -av stunnel.conf stunnel.conf.dist > stunnel.conf nano stunnel.conf ##################################################################### # # sec-email-co Stunnel configuration file # ##################################################################### pid = /var/run/stunnel/stunnel.pid CAfile = /etc/stunnel/certs/ca.crt cert = /etc/stunnel/certs/sec-email-co.pem key = /etc/stunnel/certs/sec-email-co.key verify = 1 service = stunnel output = /var/log/sec-email-co_stunnel.log debug = 7 [cjsm-outbound] accept = 127.0.100.1:25 client = yes connect = smtp.sec-email-co.net:25 protocol = smtp sslVersion = TLSv1 [cjsm-inbound] client = no accept = 10.0.0.2:4545 connect = 192.168.0.200:25 protocol = smtp ##########################################################
Copy Keys To Software
mkdir /etc/stunnel/certs cp -av /root/stunnel-keys/sec-email-co* /etc/stunnel/certs/ cp -av /root/stunnel-keys/mydomain.csr /etc/stunnel/certs/
Copy Secure Email Company Certificate Authority Key (you will have been sent this after sending yours first) to same directory
cp -av /root/stunnel-keys/CA /etc/stunnel/certs/ca.crt
Create Log File
touch /var/log/secure-email-co_stunnel.log chown stunnel /var/log/secure-email-co_stunnel.log chgrp stunnel /var/log/secure-email-co_stunnel.log
Add Software To Startup
rc-update add stunnel default
Start The Stunnel Software
/etc/init.d/stunnel start
Check Software Running
netstat -ntap |grep 25 tcp 0 0 127.0.100.1:25 0.0.0.0:* LISTEN 8949/stunnel tcp 0 0 192.168.0.200:25 0.0.0.0:* LISTEN 6646/sendmail: acce tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6646/sendmail: acce
ping 127.0.100.1 PING 127.0.100.1 (127.0.100.1) 56(84) bytes of data. 64 bytes from 127.0.100.1: icmp_seq=1 ttl=64 time=0.045 ms 64 bytes from 127.0.100.1: icmp_seq=2 ttl=64 time=0.051 ms 64 bytes from 127.0.100.1: icmp_seq=3 ttl=64 time=0.054 ms
telnet 127.0.100.1 25 Trying 127.0.100.1... Connected to 127.0.100.1. Escape character is '^]'. 220 smtp.secure-email-co.net (2) ESMTP EHLO test 250-smtp.secure-email-co.net Hello test [123.456.789] 250-SIZE 15728640 250-DSN 250-PIPELINING 250-AUTH PLAIN LOGIN 250 HELP mail from:<test@mydomain.com> 250 OK rcpt to:<richard@secure-email-co.theirdomain.net> 250 Accepted data 354 Enter message, ending with "." on a line by itself hello richard . 250 OK id=1OBTXx-0007o7-9f ^] telnet> quit Connection closed.
tail /var/log/stunnel.log 2010.11.11 16:10:23 LOG6[8949:1073809744]: SSL connected: new session negotiated 2010.11.11 16:10:23 LOG6[8949:1073809744]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2010.11.11 16:10:31 LOG7[8949:1073809744]: Socket closed on read 2010.11.11 16:10:31 LOG7[8949:1073809744]: SSL write shutdown 2010.11.11 16:10:31 LOG7[8949:1073809744]: SSL alert (write): warning: close notify 2010.11.11 16:10:31 LOG6[8949:1073809744]: SSL socket closed on SSL_shutdown 2010.11.11 16:10:31 LOG7[8949:1073809744]: Socket write shutdown 2010.11.11 16:10:31 LOG5[8949:1073809744]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket 2010.11.11 16:10:31 LOG7[8949:1073809744]: secure-email-co-outbound finished (0 left)