[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] How-to: Installing Stunnel and OpenSSL for Secure IMAP and POP3

Disclaimer:

I take no responsibility on how the below installation will affect your Raq
server. The installation steps below was done on a fully patched RAQ 4i.
Your mileage will vary. Note: Some portions of this how-to was taken from
the http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=39 site.

Install OpenSSL first.

I did this simply because I did not know where the existing OpenSSL
installation was in so I could bind Stunnel to it. I believe the Cobalt
RAQ4i server uses the /usr directory and the default installation directory
for OpenSSL was /usr/local/ssl. I checked to make sure there was not an
existing version of OpenSSL in /usr/local/ssl and went ahead and installed
version 0.9.7 into it.

1. SSH into your box as Root. You should be in your /root directory
2. wget http://www.openssl.org/source/openssl-0.9.7a.tar.gz
3. tar -xvzf openssl-0.9.7a.tar.gz
4. cd openssl-0.9.7a
5. ./config
6. make
7. make test
8. make install
9. Verify that the installation is in /usr/local/ssl. Stunnel will
automatically check /usr/local/ssl to see if an existing installation of
OpenSSL is in there, when you compile it.

Install Stunnel 4.04

1. wget http://www.stunnel.org/download/stunnel/src/stunnel-4.04.tar.gz
2. tar -xvzf stunnel-4.04.tar.gz
3. cd stunnel-4.04
4. ./configure
5. make
6. make install

Generate a Self-signed certificate to use with IMAP and POP3

1. cd /usr/local/ssl/certs
2. openssl req -new -x509 -nodes -out cert.pem -keyout stunnel.pem
3. Fill out the following questions:

   Country Name (2 letter code) [AU]:
   State or Province Name (full name) [Some-State]:
   Locality Name (eg, city) []:
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:
   Organizational Unit Name (eg, section) []: (you can leave blank if you
want to)
   Common Name (eg, your name or your server's hostname) []: (address of web
server to be used by your users)
   Email Address []:

4. cat cert.pem >> stunnel.pem
5. rm -f cert.pem
6. chmod 600 stunnel.pem
7. pico stunnel.pem

Edit stunnel.pem and put an extra blank line after

   "-----END RSA PRIVATE KEY-----"

and another blank line at the end of the file after

   "-----END CERTIFICATE-----"

8. Finally, ensure that the PID directory exists:

mkdir -p /var/run/stunnel/

Start up Stunnel.

Please note the command line syntax on the Uk2Raq.com web site is outdated.
It will not work for Stunnell version 4.04. This version now uses a
stunnel.conf file located in /usr/local/etc/stunnel. There is a
stunnel.conf-sample file in the this directory. I simply cp it as
stunnel.conf. You will need to edit this file before starting Stunnel.

1. cd /usr/local/etc/stunnel
2. cp stunnel.conf-sample stunnel.conf
3. pico stunnel.conf

I changed the following lines:

cert = /usr/local/ssl/certs/stunnel.pem
chroot = /var/run/stunnel
setgid = nobody

4. Make sure /var/run/stunnel is writable
5. You are now ready to start the stunnel daemon:

stunnel /usr/local/etc/stunnel/stunnel.conf

6. Check /var/log/messages to see if there were any error messages recorded
when you started stunnel up. If there are none, then you are ready to
connect to the POP3 and IMAP server securely using an email client like
Outlook Express.

Please note:

If you are running Chkrootkit 0.37 you may get the following warning:

Checking `bindshell'... INFECTED (PORTS:  465)

This is caused by the stunnel daemon. To verify, simply shutdown the stunnel
process and then run chkrootkit again and the warning should not appear.

Since I am a newbie, I could use some help on how to start stunnel
automatically when you restart the server.

Please let me know if this how-to helps you out. I have received so much
help from this list, I praise the Lord in allowing me to contribute to it in
this small way.

Please let me know if you have any questions.

Yours in Christ,
Brian Carpenter
Emerging Markets Web Design