[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openssl stunnel

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: openssl stunnel
From: Smith <smith_(_at_)_confuciun_(_dot_)_com>
Date: Mon, 04 Apr 2005 16:39:36 -0700

Read this at your own risk. Please critique it. This is rough notes, which means I haven't found time to clean it up, but I plan to one day. This only requires two programs (not including dependencies): dovecot (for imaps) and sasl (for authentication). Sasl might not be needed if you only plan on users inside your network to send mail, but you will need it if you want your roaming clients to send mail.

see also http://www.dorkzilla.org/~dlg/sendmail/ as this is where I got most of the information plus from other sources like the man pages for openssl.

Also note that if you enable OpenBSD's spamd, you will have to have your email client connect to port 587 to send mail.

====begin====

certificates stored in /etc/mail/certs

mkdir /etc/mail/certs (if needed)

openssl dsaparam 1024 -out dsa1024.pem

openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \
            -out /etc/mail/certs/mycert.pem -keyout /etc/mail/certs/mykey.pem

ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem

rm dsa1024.pem

chmod -R go-rwx /etc/mail/certs

cd /usr/ports/security/cyrus-sasl2
make install
echo WANT_SMTPAUTH= yes >> /etc/mk.conf
cd /usr/local/lib
ln -s libsasl2.so.2.11 libsasl2.so
cd /usr/src/gnu/usr.sbin/sendmail
vi cf/cf/openbsd-proto.mc

after the FEATURE(`no_default_msa') line, add:

LOCAL_DOMAIN(`fqdn.of.machine.org')
LOCAL_DOMAIN(`domain.org')
define(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
TRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnl
define(`confAUTH_OPTIONS',`p,y')dnl

after the ``divert(0)dnl'' line).

define(`CERT_DIR',        `MAIL_SETTINGS_DIR`'certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT',      `CERT_DIR/CAcert.pem')
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')
define(`confSERVER_KEY',  `CERT_DIR/mykey.pem')
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')
define(`confCLIENT_KEY',  `CERT_DIR/mykey.pem')

make clean obj depend && make && make install
cp cf/cf/obj/openbsd-proto.cf /etc/mail/sendmail.cf
echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf

add users with /usr/local/sbin/saslpasswd2 username

?      saslpasswd2 may complain about kerberos, it may be helpful to
?      # touch /etc/kerberosIV/srvtab
?      to silence some of the warnings

mkdir /var/sasl2
/usr/local/sbin/saslauthd -a getpwent

add the following to /etc/rc.local

if [ -x /usr/local/sbin/saslauthd ]; then echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwent fi

kill `head -n1 /var/run/sendmail.pid`

. /etc/rc.conf /usr/sbin/sendmail $sendmail_flags

cd /usr/ports/mail/dovecot
make install

vi /etc/dovecot.conf #to suit your needs.

protocols = imaps

#imap_listen = *
#pop3_listen = *
#imaps_listen =
#pop3s_listen =
imaps_listen = *

ssl_cert_file = /etc/ssl/dovecotcert.pem
ssl_key_file = /etc/ssl/private/dovecot.pem

vi /etc/ssl/dovecot-openssl.cnf  (Edit this accordingly!)

C=US
ST=CA
L=mycity
O=mycompany
OU=IMAP server
CN=myfullyqualifieddomainname.com
emailAddress=somebody_(_at_)_mydomainname_(_dot_)_com

/usr/local/sbin/dovecot-mkcert.sh

vi /etc/rc.local:

if [ -x /usr/local/sbin/dovecot ]; then
       echo -n ' dovecot';       /usr/local/sbin/dovecot
fi

crontab -e -u root

0       *       *       *       *       /usr/libexec/spamd-setup

vi /etc/pf.conf

table <spamd> persist
table <spamd-white> persist

rdr pass on $ext_if proto tcp from <spamd> to port smtp \
       -> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
       -> 127.0.0.1 port spamd

pass in on $ext_if proto tcp to ($ext_if) port smtp keep state
pass in on $ext_if proto tcp to ($ext_if) port submission keep state
pass in on $ext_if proto tcp to ($ext_if) port imaps keep state

vi /etc/rc.conf.local

sendmail_flags="-L sm-mta -bd -q30m"
spamd_flags=""
spamd_grey=YES
pf=YES


Didier Wiroth wrote:

hi,
(openbsd and security novice)
I have setup one of my first servers, The server will be used as a mail server, it is running openbsd3.7 with sendmail. I have some security concerns which I would like to resolve a) My mail server is in a networkX b) My clients use mainly windows workstations and are from different subnets from different internet providers.
Here are my main goals:
1) users should use encrypted and authenticated smtp connections to be able to relay mail to other domains
2) I would like to use a popa3d server "with" strong encryption (perhaps ssl tunneling with stunnel).
To be honest I'm not familiar with certificates, nor with certificate authorities (CA).
Can someone point me to some good doc/howto... which might help me to resolve my configuration needs?
If you have a good link about how to create my own "certificate authority" on openbsd, it is also welcome!!!
If possible I would like to keep popa3d and sendmail from the openbsd standard install.
many thanks for the help
didier

Follow-Ups:
- Re: openssl stunnel
  - From: Smith

References:
- openssl stunnel
  - From: Didier Wiroth

Prev by Date: Re: Gallery/ImageMagick/NetPBM req'd files in chroot?
Next by Date: Re: openssl stunnel
Previous by thread: openssl stunnel
Next by thread: Re: openssl stunnel
Index(es):
- Date
- Thread

Visit your host, monkey.org