Printable Version of Topic
Click here to view this topic in its original format
XMail Forum > Documentation and Knowledge Base > Xmail And Ssl


Posted by: atomant Mar 18 2003, 07:01 PM
Hi!

Is there someone who has configured xmail with stunnel ? I would like to do it but I don't understand the docs how to do this. Can anyone tell me how to do this - step by step ? smile.gif

Posted by: hschneider Mar 19 2003, 12:10 AM
Prepare the SSL-Certificate:
Download and unzip openssl
Create a certificate:
bin\openssl.exe req -new -x509 -nodes -out stunnel.pem -keyout stunnel.pem -days 365 -config openssl.cnf
Adapt the number of days until the certificate expires to your needs.
When you are asked for (YOUR name), enter ip_or_name_of_xmail_server
Copy stunnel.pem to your stunnel folder

Prepare Stunnel:
Download and unzip stunnel to your stunnel folder
copy ssl/bin/*.dll from openssl to your stunnel folder
Create a file named stunnel.conf with the following content:
--<cut here>--
client = no
debug = 7
options = DONT_INSERT_EMPTY_FRAGMENTS

[POP3]
accept = 995
connect = 127.0.0.1:110
delay = no

[SMTP]
accept = 8025
connect = your_xmail_server_ip_or_name:25
delay = no
--<cut here>--
Start stunnel.exe

Prepare XMail:
Close the standard POP3 port for the rest of the world by binding it to 127.0.0.1.
Use parameter -PI for that (see Xmail manual).
Make sure that you allow 127.0.0.0 in your pop.ipmap.tab
Standard SMTP has to stay open, in order to talk to other SMTPs in the world.
But your LAN clients can use SSL-secured SMTP, if they want.
Restart XMail Service

Prepare the Client:
In Outlook check 'Use SSL...' with POP3 and optional with SMTP connections
Use port 995 for secure POP and 8025 for secure SMTP

Have fun!

Use
stunnel.exe -- install
if you want stunnel to run as a system service.

-- Please let me know if you managed it to run or if I've overseen something ... :-)

Posted by: atomant Mar 19 2003, 07:10 AM
Just a remark...I am using Xmail under Linux !? Does this change things a lot ?
Do I need to install stunnel on the client side too or is it enough to enable ssl support in their email client ?

Posted by: hschneider Mar 19 2003, 07:37 AM
Certificate generation and setup should be the same.
Copying the .dlls will not be necessary.
If your client is Outlook only, then you don't need stunnel on client side. If you do other sorts of communication with secure SMTP or POP, you might need it.


Posted by: atomant Mar 19 2003, 08:24 AM
So to start stunnel it is enough just ./stunnel, wright? Is it possible to still be able to use nonssl pop3 ?

Posted by: hschneider Mar 19 2003, 09:17 AM
... when you have created the certificates and the .conf file.
You can still use the standard services, if you do not bind them to 127.0.0.1 in XMail. The stunnel.conf then has to be

[POP3]
accept = 995
connect = your_xmail_server_ip_or_name:110
delay = no

for POP3.


Would be nice to see a Linux howto here, when things run on your machine .. :-)

Posted by: atomant Mar 19 2003, 11:14 AM
OK, I got it working. So a Linux howto:

-get a source at www.stunnel.org and compile it and install:
CODE

$./configure
$make
$make install

When you run "make install" you will be prompted to create a certifikate which you should do.

-create a /usr/local/etc/stunnel/stunnel.conf file with the following:
CODE

cert = /usr/local/etc/stunnel/stunnel.pem
pid = /tmp/stunnel.pid
setuid = nobody
setgid = nobody

options = DONT_INSERT_EMPTY_FRAGMENTS

debug = 7
output = stunnel.log

client = no


[POP3]
accept  = 995                         #standard pop3ssl port  
connect = 127.0.0.1:110
delay = no

[SMTP]
accept  = 8025                        #port of your choise
connect = 127.0.0.1:25
delay = no


-make Xmail to listen to 127.0.0.1:110 and 127.0.0.1:25 and restart xmail service

-setup your firewall (if you have one) to allow access to those ports you have specified in stunnel.conf

-run /usr/local/sbin/stunnel

-make changes in Outlook or Netscape or whatever to use SSL

-try to conect to your mailbox

If you have a problem check the /usr/local/etc/stunnel/stunnel.log file.

Have fun. biggrin.gif

Posted by: hschneider Mar 19 2003, 11:16 AM
Thank U !
Looks much easier than on NT ... ;-)


Posted by: PetePagoda Apr 15 2003, 12:10 AM
ph34r.gif For Linux Users:

You must make stunnel start before Xmail when booting or Xmail will not work properly after rebooting with stunnel starting first.

Thanks,
Pete

Posted by: PetePagoda Apr 15 2003, 01:48 AM
blink.gif Speaking of which, what's a good way to get a nice solid stunnel PID running before you start XMail?

Posted by: atomant Apr 15 2003, 12:24 PM
I have Xmail starting before stunnel and I don't have any problems with Xmail. I am running RH8.

Posted by: smago Apr 24 2003, 10:04 AM
Do you now if we can start 2 pop in same time ? 1 for SSL connection and 1 for normal ?

Posted by: hschneider Apr 24 2003, 10:11 AM
Bind the POP service to 127.0.0.1:110 and your_external_ip:110. The one with 127.* is used for tunneling, the other one id a normal POP.

QUOTE

        -PI ip[:port]
                Bind server to the specified ip address and (optional) port
                (can be multiple).

Posted by: hschneider Apr 24 2003, 07:55 PM
Thanks for the contrib!

Posted by: cmyk Nov 15 2003, 04:07 PM
for mandrake 9.2 i found these differences:

create the certificate (path to openssl.cnf has to be specified as follows):
CODE
openssl req -new -x509 -nodes -out stunnel.pem -keyout stunnel.pem -days 365 -config /usr/lib/ssl/openssl.cnf

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)