[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: openssl stunnel
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: openssl stunnel
- From: Smith <smith_(_at_)_confuciun_(_dot_)_com>
- Date: Mon, 04 Apr 2005 16:39:36 -0700
Read this at your own risk. Please critique it. This is rough notes,
which means I haven't found time to clean it up, but I plan to one day.
This only requires two programs (not including dependencies): dovecot
(for imaps) and sasl (for authentication). Sasl might not be needed if
you only plan on users inside your network to send mail, but you will
need it if you want your roaming clients to send mail.
see also http://www.dorkzilla.org/~dlg/sendmail/ as this is where I got most of the information plus from other sources like the man pages for openssl.
Also note that if you enable OpenBSD's spamd, you will have to have your email client connect to port 587 to send mail.
certificates stored in /etc/mail/certs
mkdir /etc/mail/certs (if needed)
openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \
-out /etc/mail/certs/mycert.pem -keyout /etc/mail/certs/mykey.pem
ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem
chmod -R go-rwx /etc/mail/certs
echo WANT_SMTPAUTH= yes >> /etc/mk.conf
ln -s libsasl2.so.2.11 libsasl2.so
after the FEATURE(`no_default_msa') line, add:
define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
after the ``divert(0)dnl'' line).
make clean obj depend && make && make install
cp cf/cf/obj/openbsd-proto.cf /etc/mail/sendmail.cf
echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf
add users with /usr/local/sbin/saslpasswd2 username
? saslpasswd2 may complain about kerberos, it may be helpful to
? # touch /etc/kerberosIV/srvtab
? to silence some of the warnings
/usr/local/sbin/saslauthd -a getpwent
add the following to /etc/rc.local
if [ -x /usr/local/sbin/saslauthd ]; then
echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwent
kill `head -n1 /var/run/sendmail.pid`
vi /etc/dovecot.conf #to suit your needs.
protocols = imaps
#imap_listen = *
#pop3_listen = *
imaps_listen = *
ssl_cert_file = /etc/ssl/dovecotcert.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
vi /etc/ssl/dovecot-openssl.cnf (Edit this accordingly!)
if [ -x /usr/local/sbin/dovecot ]; then
echo -n ' dovecot'; /usr/local/sbin/dovecot
crontab -e -u root
0 * * * * /usr/libexec/spamd-setup
table <spamd> persist
table <spamd-white> persist
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
-> 127.0.0.1 port spamd
pass in on $ext_if proto tcp to ($ext_if) port smtp keep state
pass in on $ext_if proto tcp to ($ext_if) port submission keep state
pass in on $ext_if proto tcp to ($ext_if) port imaps keep state
sendmail_flags="-L sm-mta -bd -q30m"
Didier Wiroth wrote:
(openbsd and security novice)
I have setup one of my first servers,
The server will be used as a mail server, it is running openbsd3.7 with sendmail. I have some security concerns which I would like to resolve
a) My mail server is in a networkX
b) My clients use mainly windows workstations and are from different subnets from different internet providers.
Here are my main goals:
1) users should use encrypted and authenticated smtp connections to be able to relay mail to other domains
2) I would like to use a popa3d server "with" strong encryption (perhaps ssl tunneling with stunnel).
To be honest I'm not familiar with certificates, nor with certificate authorities (CA).
Can someone point me to some good doc/howto... which might help me to resolve my configuration needs?
If you have a good link about how to create my own "certificate authority" on openbsd, it is also welcome!!!
If possible I would like to keep popa3d and sendmail from the openbsd standard install.
many thanks for the help
Visit your host, monkey.org