|Printable Version of Topic
Click here to view this topic in its original format
|XMail Forum > Documentation and Knowledge Base > Xmail And Ssl|
|Posted by: atomant Mar 18 2003, 07:01 PM|
Is there someone who has configured xmail with stunnel ? I would like to do it but I don't understand the docs how to do this. Can anyone tell me how to do this - step by step ?
|Posted by: hschneider Mar 19 2003, 12:10 AM|
| Prepare the SSL-Certificate:
Download and unzip openssl
Create a certificate:
bin\openssl.exe req -new -x509 -nodes -out stunnel.pem -keyout stunnel.pem -days 365 -config openssl.cnf
Adapt the number of days until the certificate expires to your needs.
When you are asked for (YOUR name), enter ip_or_name_of_xmail_server
Copy stunnel.pem to your stunnel folder
Download and unzip stunnel to your stunnel folder
copy ssl/bin/*.dll from openssl to your stunnel folder
Create a file named stunnel.conf with the following content:
client = no
debug = 7
options = DONT_INSERT_EMPTY_FRAGMENTS
accept = 995
connect = 127.0.0.1:110
delay = no
accept = 8025
connect = your_xmail_server_ip_or_name:25
delay = no
Close the standard POP3 port for the rest of the world by binding it to 127.0.0.1.
Use parameter -PI for that (see Xmail manual).
Make sure that you allow 127.0.0.0 in your pop.ipmap.tab
Standard SMTP has to stay open, in order to talk to other SMTPs in the world.
But your LAN clients can use SSL-secured SMTP, if they want.
Restart XMail Service
Prepare the Client:
In Outlook check 'Use SSL...' with POP3 and optional with SMTP connections
Use port 995 for secure POP and 8025 for secure SMTP
stunnel.exe -- install
if you want stunnel to run as a system service.
-- Please let me know if you managed it to run or if I've overseen something ... :-)
|Posted by: atomant Mar 19 2003, 07:10 AM|
| Just a remark...I am using Xmail under Linux !? Does this change things a lot ?
Do I need to install stunnel on the client side too or is it enough to enable ssl support in their email client ?
|Posted by: hschneider Mar 19 2003, 07:37 AM|
| Certificate generation and setup should be the same.
Copying the .dlls will not be necessary.
If your client is Outlook only, then you don't need stunnel on client side. If you do other sorts of communication with secure SMTP or POP, you might need it.
|Posted by: atomant Mar 19 2003, 08:24 AM|
|So to start stunnel it is enough just ./stunnel, wright? Is it possible to still be able to use nonssl pop3 ?|
|Posted by: hschneider Mar 19 2003, 09:17 AM|
| ... when you have created the certificates and the .conf file.
You can still use the standard services, if you do not bind them to 127.0.0.1 in XMail. The stunnel.conf then has to be
accept = 995
connect = your_xmail_server_ip_or_name:110
delay = no
Would be nice to see a Linux howto here, when things run on your machine .. :-)
|Posted by: atomant Mar 19 2003, 11:14 AM|
| OK, I got it working. So a Linux howto:
-get a source at www.stunnel.org and compile it and install:
When you run "make install" you will be prompted to create a certifikate which you should do.
-create a /usr/local/etc/stunnel/stunnel.conf file with the following:
-make Xmail to listen to 127.0.0.1:110 and 127.0.0.1:25 and restart xmail service
-setup your firewall (if you have one) to allow access to those ports you have specified in stunnel.conf
-make changes in Outlook or Netscape or whatever to use SSL
-try to conect to your mailbox
If you have a problem check the /usr/local/etc/stunnel/stunnel.log file.
|Posted by: hschneider Mar 19 2003, 11:16 AM|
| Thank U !
Looks much easier than on NT ... ;-)
|Posted by: PetePagoda Apr 15 2003, 12:10 AM|
| For Linux Users:
You must make stunnel start before Xmail when booting or Xmail will not work properly after rebooting with stunnel starting first.
|Posted by: PetePagoda Apr 15 2003, 01:48 AM|
|Speaking of which, what's a good way to get a nice solid stunnel PID running before you start XMail?|
|Posted by: atomant Apr 15 2003, 12:24 PM|
|I have Xmail starting before stunnel and I don't have any problems with Xmail. I am running RH8.|
|Posted by: smago Apr 24 2003, 10:04 AM|
| Do you now if we can start 2 pop in same time ? 1 for SSL connection and 1 for normal ?
|Posted by: hschneider Apr 24 2003, 10:11 AM|
| Bind the POP service to 127.0.0.1:110 and your_external_ip:110. The one with 127.* is used for tunneling, the other one id a normal POP.
|Posted by: hschneider Apr 24 2003, 07:55 PM|
|Thanks for the contrib!|
|Posted by: cmyk Nov 15 2003, 04:07 PM|
| for mandrake 9.2 i found these differences:
create the certificate (path to openssl.cnf has to be specified as follows):