stunnel: SSL-to-SSL? (for smtp/imap)

ssl ubuntu linux-networking ubuntu-10.10 stunnel

Solution 1:

I am not familiar with the specifics of 10.10, but I am going to assume that it is pretty close to Debian.

One thing you could do, is basically setup to separate stunnel configurations. On that accepts SSL, and forwards it to a local port, and another that listens on that local port, and then makes SSL connections to the external host. These two can be bound to the loopback interface only so unencrypted data will not cross the network. Just keep in mind that you are basically performing a MITM attack against yourself. I used a setup like this while I was helping diagnose some issues with a web service a guy was developing.

The packaged version of stunnel in Debian/Ubuntu should make this easy. The startup scripts will basically start an instance of stunnel for every configuration file (*.conf) found in /etc/stunnel4. So you can put the two separate configurations in /etc/stunnel4, generate your keys, restart stunnel and it should work.

So here is the first config that accepts the SSL

; /etc/stunnel/ssl_in.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/srv1.keys

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside chroot jail
pid = /srv1.pid

debug = 4
output = /var/log/stunnel4/ssl_in.log

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[ssl_in_imap]
accept  = 993
connect = localhost:10993

[ssl_in_smtp]
accept  = 587
connect = localhost:10587

Your second instance that creates outgoing connections.

; /etc/stunnel/ssl_out.conf
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside chroot jail
pid = /clt1.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

client=yes
CAfile = clt1.ca
verify = 0


[ssl_out_imap]
accept  = 10993
connect = remote_server:993

[ssl_out_smtp]
accept  = 10587
connect = remote_server:10587

To generate the filename.keys for the server.

# Create a new key and preparte a CSR 
openssl req -new -keyout filename.pem -out filename.csr
# Remove the passphrase from the key
openssl rsa -in filename.pem -out filename.key
# Self sign
openssl x509 -in filename.csr -out filename.cert -req -signkey filename.key -days 720
# combine files to get the keys file stunnel needs.
cat filename.key filename.cert > filename.keys

Your file will look like this.

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDkwzyKrPRXGyvEgITm/7oC9fDU4Y7L9mtMXmcIR98cp0g1ndcz
...
qhP3y97k67EVdSC+92pIGrAL7kBWckpJ2HP1El4KeZg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICHzCCAYgCCQDq/33qh7Dq5TANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJV
...
ebbhvhYLx1KkhD8/dXEbU0+kNg==
-----END CERTIFICATE-----

Related

Combine several physical servers into 1 virtual server
Change reception in postfix queue
MySQL is running VERY slow on CentOS 6x (not 5x)
Perform an unattended install of Windows Server 2008?
Hidden features of Oracle Database
Is there a static, server-side vulnerability/virus/malware/BadThings™ scanner?
Setting up disk quota on ubuntu for multiple users
Postfix/Dovecot - Multiple Domains and Multiple Linux Accounts
SBS 2011 - Is Store.exe High Memory Usage Normal?
fsck root filesystem on a remote machine
How to show that $\sum_{k=1}^n k(n+1-k)=\binom{n+2}3$?
No maximum(minimum) of rationals whose square is lesser(greater) than $2$. [duplicate]