stunnel: SSL-to-SSL? (for smtp/imap)
Solution 1:
I am not familiar with the specifics of 10.10, but I am going to assume that it is pretty close to Debian.
One thing you could do, is basically setup to separate stunnel configurations. On that accepts SSL, and forwards it to a local port, and another that listens on that local port, and then makes SSL connections to the external host. These two can be bound to the loopback interface only so unencrypted data will not cross the network. Just keep in mind that you are basically performing a MITM attack against yourself. I used a setup like this while I was helping diagnose some issues with a web service a guy was developing.
The packaged version of stunnel in Debian/Ubuntu should make this easy. The startup scripts will basically start an instance of stunnel for every configuration file (*.conf) found in /etc/stunnel4. So you can put the two separate configurations in /etc/stunnel4, generate your keys, restart stunnel and it should work.
So here is the first config that accepts the SSL
; /etc/stunnel/ssl_in.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/srv1.keys
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /srv1.pid
debug = 4
output = /var/log/stunnel4/ssl_in.log
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[ssl_in_imap]
accept = 993
connect = localhost:10993
[ssl_in_smtp]
accept = 587
connect = localhost:10587
Your second instance that creates outgoing connections.
; /etc/stunnel/ssl_out.conf
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /clt1.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client=yes
CAfile = clt1.ca
verify = 0
[ssl_out_imap]
accept = 10993
connect = remote_server:993
[ssl_out_smtp]
accept = 10587
connect = remote_server:10587
To generate the filename.keys for the server.
# Create a new key and preparte a CSR
openssl req -new -keyout filename.pem -out filename.csr
# Remove the passphrase from the key
openssl rsa -in filename.pem -out filename.key
# Self sign
openssl x509 -in filename.csr -out filename.cert -req -signkey filename.key -days 720
# combine files to get the keys file stunnel needs.
cat filename.key filename.cert > filename.keys
Your file will look like this.
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDkwzyKrPRXGyvEgITm/7oC9fDU4Y7L9mtMXmcIR98cp0g1ndcz
...
qhP3y97k67EVdSC+92pIGrAL7kBWckpJ2HP1El4KeZg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICHzCCAYgCCQDq/33qh7Dq5TANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJV
...
ebbhvhYLx1KkhD8/dXEbU0+kNg==
-----END CERTIFICATE-----