Scalix + STunnel + IMaps + Xinetd

[bpasdar]

Hello,

I am evaluating Scalix as a replacement for our organization's groupware solution. For the most part I am impressed with it's polish though I have a question.

I am trying to get an IMAPS type service up on the box. Frankly I am a little surprised that this feature is not built-in. Be that as it may, It is my understanding that if I use standard stunnel to establish a connection on port 993 and redirect it to port 143 on localhost.

It is also my understanding that I dont have to do anything different on clients such as configuring stunnel on the client (kmail, evolution) and they will continiue to use standard ssl/tls capabilities without me having to touch them.

Are these assumptions correct?

If so, here is my config:

System:

CentOS 2.6.9-42.0.2.EL

STunnel:

stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003

Global options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
debug = 5
key = /etc/stunnel/stunnel.pem
pid = /var/run/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
session = 300 seconds
verify = none

stunnel: imaps.conf:

client=no
key = /etc/stunnel/concerto.key
cert = /etc/stunnel/concerto.crt
setuid = nobody
setgid = nogroup

###Tried Option 1
[imaps]
accept = 993
connect = 143

###Tried Option 2
# [imaps]
# accept = 993
# connect = 127.0.0.1:143

Xinetd.d/imaps:

# default: off
# allows crc checksumming etc.
service imaps
{
port = 993
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/imaps.conf
log_on_failure += USERID
}

What I end up getting is a variety of connections errors when using the following two test connect parameters:

Test #1 for SSL v3:

openssl s_client -ssl3 -connect 192.168.1.10:993

Test #2 for SSL v2:

openssl s_client -ssl2 -connect 192.168.1.10:993

I keep getting errors such as the following:

8471:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286:

CONNECTED(00000003)
7729:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286:

CONNECTED(00000003)
7727:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:

CONNECTED(00000003)
write:errno=104

CONNECTED(00000003)
7006:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:286:

etc.....

I get these errors when I try various modifications in the config. My concern is that I am not generating a proper key / cert for this. A test with kmail showed that imap works however when I switched to SSL it could nto connect.

Any suggestions or references are appreciated.

Sincerely,

Babak

[dkelly]

Please take a look at http://www.scalix.com/wiki/index.php?title=HowTos/ScalixSecurity#Setting_up_stunnel

Cheers

Dave

[bpasdar]

Dave,

Thank you for the response. This is the response get.

# make /etc/stunnel/stunnel.pem
make: *** No rule to make target `/etc/stunnel/stunnel.pem'. Stop.


Babak

[dkelly]

This looks like you didn't change directory to /usr/share/ssl/certs

Cheers

Dave

[ianare]

I was having problems creating a certificate in fedora 4.

Check this out:

http://www.linuxforums.org/forum/redhat-fedora-linux-help/65260-cannot-start-stunnel.html

[bpasdar]

Hello Dave,

I had something corrupted with my stunnel. I removed and re-installed and this time it worked! Here are some notes for future reference:

1. Install stunnel via rpm, deb or source.

2. Create a cert

cd /usr/share/ssl/certs
make /etc/stunnel/stunnel.pem

3. Configure your stunnel.conf file

# #Sample stunnel configuration file for POP3/IMAP

## Debuging options
## Forward option forces the process to operate in foreground and breaks your startup script
#foreground = yes
# debug = 7
output = /var/log/stunnel.log

# Provide the full path to your certificate-key pair file
cert = /etc/stunnel/stunnel.pem

## Chroot stunnel
chroot = /var/run/stunnel/
# and create the PID file in this jail
pid = /stunnel.pid

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

# Configure our secured POP3 and IMAP services

[pop3s]
accept = 995
connect = 110

[imaps]
accept = 993

4. Add startup script

#!/bin/bash
#
# stunnel This shell script takes care of starting and stopping
# stunnel
#
# chkconfig: 345 80 30
# description: Secure tunnel

# processname: stunnel
# config: /etc/stunnel/stunnel.conf
# pidfile: /var/run/stunnel/stunnel.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source stunnel configureation.
if [ -f /etc/sysconfig/stunnel ] ; then
. /etc/sysconfig/stunnel
fi

RETVAL=0
prog="stunnel"

start() {
# Start daemons.

echo -n $"Starting $prog: "
if test -x /usr/sbin/stunnel ; then
/usr/sbin/stunnel
fi
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel
return $RETVAL
}

stop() {
# Stop daemons.
echo -n $"Shutting down $prog: "
killproc stunnel
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel
return $RETVAL
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/stunnel ]; then
stop
start
RETVAL=$?
fi
;;
status)
status sendmail
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac

exit $RETVAL

Here is a decent reference site: http://linuxgazette.net/107/odonovan.html

BTW - I do not understand why people are using stunnel with sendmail for port 25. Why not integrate TLS with sendmail so that it allows for STARTTLS option when a sender has connected. I plan on implementing that next.

Thanks all for the help.

Babak

[ianare]

Dave,

The directory /usr/share/ssl/certs does not exist on my fedora core 4 system. This is why I had to use the command:

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

This command should work on any system that has ssl installed. Would you consider altering the wiki to reflect this? Or is there a similar way of doing it under fedora?