a little HSPHERE with POP3 SSL, IMAP SSL, SMTP SSL and SFTP tutorial
01-23-03, 12:33
|
|
|---|---|
hans Registered User Join: Apr 2002 Posts: 864 |
a little HSPHERE with POP3 SSL, IMAP SSL, SMTP SSL and SFTP tutorial OK, if anybody cares, I have investigated a while to get customer connections secured in case they ask, and I use it for my own stuff: (This is all collected from smart people that wrote those tutorials, I only made it a little more specific to HSPHERE) My goal was NOT to make any changes to HSPHERE and the depending RPMS itself! So, no recompilation of anything necessary. The following stuff I tested on my redhat 7.2 Server with HSPHERE 2.3 RC3. POP3, IMAP, SMTP over SSL (Supported for example by Outlook Express): install stunnel rpm (probably already installed). open on your firewall the incoming ports 995, 993, 465 cd /usr/share/ssl/certs make stunnel.pem (of course you can use a REAL cert if you like) /usr/sbin/stunnel -d 995 -p /usr/share/ssl/certs/stunnel.pem -r mailserverip  op3/usr/sbin/stunnel -d 993 -p /usr/share/ssl/certs/stunnel.pem -r mailserverip:imap /usr/sbin/stunnel -d 465 -p /usr/share/ssl/certs/stunnel.pem -r mailserverip:smtp IMPORTANT: Check if /hsphere/local/var/vpopmail/etc/tcp.smtp contains your mail servers primary IP address. If yes, remove the line and run: /hsphere/shared/bin/tcprules /hsphere/local/var/vpopmail/etc/tcp.smtp.cdb /hsphere/local/var/vpopmail/etc/tcp.smtp.tmp < /hsphere/local/var/vpopmail/etc/tcp.smtp SFTP: get the newest openssh rpms (clients and server also) the ones for redhat 7.3 work fine on 7.2. (if you don't get those you will get in trouble for security reasons, redhat 7.x still uses a patched 3.1 ssh and for what we are doing next thats NOT good enough!!) Next, get rssh newest version at: http://rssh.sourceforge.net/ untar, configure, make , make install configure PermitUserEnvironment in your sshd_config to no now, for users that want SFTP access, you simply change the shell in /etc/passwd to /usr/local/bin/sftpsh Now tell them to use Filezilla, and you are all secure 
|
01-28-03, 12:14
|
|
|---|---|
 hitchhiker Registered User Join: Feb 2002 Posts: 447 |
You are a real genius! thanks! I'd been fiddling with Courier configs for months trying to get SSL to work and finding that building my own version made all sorts of things not work with vpopmail. This is a MUCH more elegant soltuion. jim |
02-01-03, 20:45
|
||
|---|---|---|
hopsis Registered User Join: Jun 2002 Posts: 495 |
Quote:
 Craig |
|
02-01-03, 21:45
|
|
|---|---|
ghost Registered User Join: May 2002 Posts: 3,322 |
I got your back on this one. I remember it saying that too.
__________________ Jeffery http://www.cpdevel.com http://www.hspheregroup.com |
07-14-03, 13:54
|
|
|---|---|
MarkW78 Registered User Join: Nov 2001 Posts: 603 |
When we use this (for email), Outlook prompts the user for approval because the cert was not issued by a trusted authority. Any way around that? Can a real cert be installed for this? If so, how? Thanks for the help! __________________ Mark |
07-15-03, 14:42
|
|
|---|---|
 dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings Hans: When I have http://www.dynamicnet.net/customer/h...ecific_ips.htm implemented with in.fingerd : ALL : DENY Followed by the sshd: xxx.xxx.xxx.xxx ALLOW lines Followed by ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port Denial noted %d-%h" root) & : DENY I get Port Denial noted localhost.pop3-xxx.xxx.xxx.xxx (where the x's represent my PC IP). What entry do I have to make to hosts.allow to allow POP3 checks? When I comment out the fingrer and safe finger entries, all works. Thank you. P.S. Eudora users can use this too, but you have to import the cert as a trusted cert. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
07-15-03, 15:13
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings: Hmmm... I am probably wrong in my understanding of SSL-enabled email, but should the actual message on the server be encrypted some how? When I cat a message sent to a brand new test box where Eudora states SSL was used ok, I can cat the file in plain text mode. Is the encryption only done in the actual sending and receiving? i.e. the file is plain text on the server, but encrypted when sent / received? Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
07-15-03, 15:47
|
|
|---|---|
hans Registered User Join: Apr 2002 Posts: 864 |
Hey, Yes, SSL is only a secure socket layer, so the connection is encrypted (including username/password). Like with apache SSL or SSH. The HTML file is still clear text or you type clear text on your screen, but its sent over to the other side encrypted. You mean encrypted e-mail which is a client side thingy, totally server independent. I use The BAT with S/MIME enabled but you can also use Outlook Express and there PGP of course (plugins available for major email proggies) This encrypts the e-mail on your computer. you can not even read it as the admin on the mailserver without the Private key. this still does not protect you from somebody reading the password when you authenticate with the Server, but SSL does. So I guess the combination of both is the most secure thing you can do. But the fiddeling around with the PGP/SMIME keys is a pain for most endusers. |
07-15-03, 15:49
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings Hans: Thanks. BTW, do you know the actual entry for hosts.allow to have the Stunnel work ok. Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
07-15-03, 16:23
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings: Solved!!! Per http://www.stunnel.org/examples/tcpwrapper_names.html, you can use the -N option to force stunnel to use a specific service name. Then within /etc/hosts.allow, you can reference that service name <SMILE>. Example /etc/hosts.allow in.fingerd : ALL : DENY ### pop from anywhere ipop3d: ALL ismtp: ALL imapd: ALL ### Your network IP's go here for where you will access SSH ## sshd: xxx.xxx.xxx.xxx ### Positive Software Support sshd: 194.44.204.0/24 sshd: 194.44.207.174/32 sshd: 194.44.209.222/32 sshd: 213.130.17.170/32 sshd: 65.219.197.240/32 sshd: 213.130.17.170 ### ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port Denial noted %d-%h" root) & : DENY === The change to the stunnel commands as follows: /usr/sbin/stunnel -d 995 -N ipop3d -p /usr/share/ssl/certs/stunnel.pem -r localhost:pop3 /usr/sbin/stunnel -d 993 -N imapd -p /usr/share/ssl/certs/stunnel.pem -r localhost:imap /usr/sbin/stunnel -d 465 -N ismtp -p /usr/share/ssl/certs/stunnel.pem -r localhost:smtp Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
07-15-03, 18:11
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings: Now... from a customer perspective, how to do you prove to them the email is being sent / received securely? In your browser, you have the lock / key. Eudora has Last SSL Info (under personality properties), but I cannot find anything in Outlook. Even looking at the mail headers, I don't see anything that would have indicated SSL was involved. Thoughts? Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
07-16-03, 15:07
|
|
|---|---|
hans Registered User Join: Apr 2002 Posts: 864 |
Not really The only chance you have is using a certificate that does not fit the name and it should popup with a warning everytime.... Since the whole process is transparent to the qmail Server (Its a tunnel  )there is no proof. You could compile qmail with TLS support, then you would see something I think, and that would obsolete the whole stunnel thing. |
07-16-03, 15:19
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings Hans: Thank you for all your help. BTW, rssh is up to 2.10. It may be better to go to http://www.pizzashack.org/rssh/downloads.shtml to make sure the latest is downloaded. And, our path to the SFTP server on our H-Sphere Web server was /usr/libexec/openssh/sftp-server rather than /usr/local/bin/sftpsh Otherwise all is very well. Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
08-06-03, 12:15
|
|
|---|---|
timb Registered User Join: Feb 2003 Posts: 31 |
I've got it working with FreeBSD and stunnel 4.x now! Check it out! http://www.forum.psoft.net/showthrea...&threadid=5190 -Tim __________________ Gray Wolf Networks Superior Solutions for an Internet Enabled World http://www.gograywolf.com |
08-06-03, 13:51
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings Tim: Good work! |
08-18-03, 14:33
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings: How do you have your mail reader configured for SMTP? Do you have the outgoing port specified as 465? What email program are you using (include version)? Did you get any error messages? If so, what are they? On your mail server box, check if stunnel is running on port 465: RedHat Linux ps -ef | grep stunnel | grep 465 FreeBSD ps -awux | grep stunnel | grep 465 Was stunnel running for that port? Are you using tcpwrappers? Could it be blocked from there? Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
08-18-03, 14:36
|
|
|---|---|
rrolfe Registered User Join: Apr 2002 Posts: 1,512 |
outlook xp outgoing on 465 stunnel is running and accepting the connections, just doesn't look like its passing it on to the smtp server. tcpwrappers? i dont know. I know thats being used with qmail but i dont see anything about it with the stunnel setup. |
« Previous Thread | Next Thread »
| Search this thread | Forum jump |
|---|---|
| Thread tools | Rating | Display modes |
|---|---|---|
|
Linear Mode
|