Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
By DavidPhillips at 2003-09-14 23:32
HOWTO Setup a Secure Relaying Email Server
Introduction
This HOWTO is intended to offer a secure Email server solution using your server of choice and also your Email client of choice. Virtually any client and server will work with this setup as long as they can connect to localhost. Some servers have their own built in authentication mechanism and may not need this method of securing authentication.
Retrieving email
When a client retrieves Email a connection is made to the server where the user has an account using POP or IMAP. The server must authenticate the user to know what Email is theirs.
Sending Email
Email clients establish a connection to a server using SMTP. The server will receive the Email and it will be routed to the users mailbox that it is addressed to. If the address is on another server the server will relay the Email to the server that has the users mailbox. Most SMTP servers have no authentication and simply relay Email for any user that has an ip-address in the ISP's block of addresses. Some will relay for anyone, they are known as open relays and are famous for relaying spam.
Securing Email retrieval
We are going to use SSL over secure ports. This will ensure that the connection is encrypted when the users password is sent and data is transfered. We are also going to require a client certificate to establish a connection In addition to the normal user login. An attempt to guess a username and password is useless against this setup without the client certificate.
SMTP Incoming Email
Our SMTP server needs to have two ports to connect to. The unsecure port will be open for incoming Email. We cannot restrict incoming Email mainly because we do not know who is going to send Email to our users or where the sender will be located. Our main concern is that the recipient has an account on our system. If the Email address is valid for one of our users the message is routed to their mailbox. We do not want to run an open relay server over the internet, so we will only accept Email for user accounts on the system through the unsecure port. Secure SMTP relays
Our users who are out roaming around on the Internet may not be able to relay Email if we run a closed relay server because they will only be able to send Email to other user accounts on the server. This is why we need a secure port. We can route our users who connect to the secure port through an SSL wrapper tunnel to the localhost port 25. This way our server will allow their Email to be relayed to any destination. Our users can be at any location and still be able to relay Email through our server. Most servers are configured to only relay for localhost by default, be sure yours is setup this way. Our server listening to localhost port 25 does not care who is sending the Email it only cares who it's addressed to. We need to use an authentication method so that only our users are able to connect to the server through the secure port to prevent unauthorized use. We are going to do this with stunnel using client certificates.
You can put the commands in your rc.local file or startup scripts.
Checking the server
Once the services are configured and started we can check to be sure they are running with netstat.
Code:
/bin/netstat -tp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:imaps *:* LISTEN 15396/xinetd
tcp 0 0 *:pop3s *:* LISTEN 15396/xinetd
tcp 0 0 *:smtps *:* LISTEN 15396/xinetd
Listed among any other servers running on tcp ports we can see our servers listed and also see that they are run by xinetd. The services should also be listed in your /etc/services file.
Firewalls
It will also be necessary to allow connections to the servers through your firewall. This is only a basic example of how to allow the connections from the Internet or external network. Be sure you have a good firewall in place to only allow the required connections. This is not by any means a complete firewall script.
Code:
$IPTABLES -N tcp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 465 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j ACCEPT
$IPTABLES -A tcp_packets -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j DROP
Test your rules with this command. In addition to the other rules you should see our server rules are allowing connections to the required ports.
The users connecting to our server on port 465 will be connecting to the server as if they were logged in locally on the system, and will be allowed to relay mail anywhere. For our purpose we will use a single client certificate. The server will only allow a connection if the certificate on the server matches or clients certificate. Individual certificates could also be used if you desire.
Most Email clients will support our POP3S and or IMAPS connections by simply configuring them to do so. SMTPS will vary widely amoung different clients requiring special types of certificates to be distributed and supported. Due to the many options for Email clients we are going to support all of them with a single certificate.
By using stunnel on the client to handle the secure connection your Email client will be configured to connect to localhost:port.
Both client and server will have an internal local connection to the stunnel service and all communication externally will be done using SSL encryption. The POP and IMAP servers have their own authentication The SMTP server is not going to need authentication as we will be using the client certificate to verify the clients. Incoming Email from sources other than our users will come in through the normal SMTP connection to port 25 where relay will be denied, and only mail for our users will be accepted.
There are many options when it comes to client server negotiation, we are going to use a single client certificate for all clients to authenticate. The certificate will be verified by the server and if successful a connection to localhost will be allowed. Otherwise the connection is denied. A user connecting to POP or IMAP will need a certificate as well as their username and password.
Client Certificates
Our client certificate is going to be created on the server and distributed to clients. When a new certificate is to be used we can mail it out over our secure Email system. All Email that is sent to and from our users is encrypted so it's fairly safe to send the certificates through the Email system. Email coming in from or going out to a non-user is sent plain text. This is mainly due to the fact that not every server uses encryption. For this reason certificates should be only sent via secure Email or some other secure form of delivery. Our server can support multiple certificates, therefore an old certificate can still be accepted during an upgrade for a period of time and then it can be removed from the server.
Creating the client certificate
Openssl comes with the tools necessary to make client certificates, we are now going to create a client certificate on our server.
Any services running on the client that are connected to these ports will interfere with our client. Check to see if they are running and stop them if they are.
Code:
/sbin/chkconfig imap off
/sbin/chkconfig ipop3d off
/sbin/chkconfig sendmail off
/sbin/service sendmail stop
Or use your distros method to shut them down.
If you are running a server on the client then you probably have no use for this anyway. You could look into masquerading.
If you have no other choice then you can use other open ports and use an Email client that will let you change to that local port, most of them will.
Starting the Client Service
You can place the command in your startup scripts, make an initd script, or run it manually. As long as it's running when we need to send or retrieve Email using our server.
Code:
/usr/sbin/stunnel /etc/stunnel/myserver.conf
The Windows Client
Stunnel Win32 and OpenSSL binaries are freely available and are covered under the GNU GPL.
Check for the latest releases.
If you use notepad it may append .txt to the filename by default, use double quotes around the filename to prevent this.
Code:
"myserver.conf"
Put the client certificate in the programs run folder or path stated in the config file.
The .dll files can either be in a folder together where the program will be run, your system32 folder or somewhere in the path.
On Win95 versions the program can be started using the Startup folder. On NT versions we will run it as a service. It needs to be started on boot to be available for the Email client.
Setup stunnel on NT
Create a shortcut to the .exe file. Edit the shortcut command line to read "stunnel-4.04.exe -install" and run the shortcut. The service will then be installed remove the shortcut.
Open your services management console, and start the "stunnel" service.
Setting up your Clients Email program
Create an account on the client program with an approiate name like "Super Cool Email Server".
Use the following settings, with exception of the mailserver name these are default settings.
Code:
Outgoing mailserver = localhost
Use password = no
Use encryption = no
Type = SMTP
Port = 25
[POP]
Incoming mailserver = localhost
Use encryption = no
Type = POP
Port = 110
[IMAP]
Incoming mailserver = localhost
Use encryption = no
Type = IMAP
Port = 143
On the server and Linux client you can monitor connections using tail.
Check your /etc/syslogd.conf file for the location of your log files
i followed this, as closely as i was able, but, had a few problems:
when i ran /bin/netstat -tp
i got nothing like what was shown
when i ran /usr/sbin/stunnel /etc/stunnel/myserver.conf
i got
Either -r, -l (or -L) option must be used
Try 'stunnel -h' for more information.
ive been really tryiing to get this to work...
using redhat 8.0
any help, is greatly apprciated... im not a newbie to unix, and
not all that new to linux, though i sure am haing some mail problems....
by DavidPhillips on Sun, 2003-10-05 11:41
what do you get when running netstat on the server?
The -t is a filter to show only tcp, -p displays the pid of the program with the connection.
you could try netstat -lp
Code:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:imaps *:* LISTEN 1117/xinetd
stunnel needs the -r or -l as used on the server to tell it how to connect. The config file contains the needed information. Be sure that the config file is correct and that the user running stunnel can access it.
I run stunnel as root
Code:
ls -l /etc/stunnel
total 4
-rw------- 1 root root 278 Oct 5 11:14 www.conf
your logs should tell you if stunnel has a problem starting, check /var/log/messages for more info on the problem.
by linuxnube on Mon, 2003-10-27 21:21
As for the windows client goes, how does this work with antivirus software that is also intercepting mail sent from the client on localhost, in order to scan outgoing mail for viruses?
-KS
by DavidPhillips on Mon, 2003-10-27 22:22
No problem as far as I have tested.
I have "Norton AV 2002" set to scan email, I also have it set to display a progress indicator when I send mail. The progress screen comes up and shows the scan as expected.
I would expect other scanners to work as expected also.
by linuxnube on Tue, 2003-11-04 15:13
by DavidPhillips on Tue, 2003-11-04 17:08
yes linuxnube it will work. the .dll files for openssl are found at stunnel.org in the download area, that's all you need on the client unless you intend to create certificates on the client. Then you would need to install openssl.
by romel on Mon, 2003-12-15 14:37
Can I setup "exim 4" mail server at "debian gnu linux 3.0" by following these instructions....I want to setp a secure mail server at debian and also a scanner for it's incoming and outgoing email....
by DavidPhillips on Mon, 2003-12-15 19:02
This document covers setting up a secure tunnel to transfer mail over. You can use it to secure any mailserver you wish.
It does not cover mailserver installation or configuration.
by romel on Tue, 2003-12-16 15:12
thanks...Now I understand...
by J_Szucs on Thu, 2004-01-01 14:22
According to the Article, one should setup stunnel and ssl on the client, too, to connect to e.g. a secure smtp server.
Fortunately, it is not so. I tested the setup and found that the mail client of Mozilla 1.5 can perfecly use the smtps server even if you do not have stunnel on the client! In my case I had a https server with client-server authentication using stunnel on the server, and, based on that setup, it took me not more than a minute to setup the new, smtps service.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
when i ran /bin/netstat -tp
i got nothing like what was shown
when i ran /usr/sbin/stunnel /etc/stunnel/myserver.conf
i got
Either -r, -l (or -L) option must be used
Try 'stunnel -h' for more information.
ive been really tryiing to get this to work...
using redhat 8.0
any help, is greatly apprciated... im not a newbie to unix, and
not all that new to linux, though i sure am haing some mail problems....
The -t is a filter to show only tcp, -p displays the pid of the program with the connection.
you could try netstat -lp
stunnel needs the -r or -l as used on the server to tell it how to connect. The config file contains the needed information. Be sure that the config file is correct and that the user running stunnel can access it.
I run stunnel as root
your logs should tell you if stunnel has a problem starting, check /var/log/messages for more info on the problem.
-KS
I have "Norton AV 2002" set to scan email, I also have it set to display a progress indicator when I send mail. The progress screen comes up and shows the scan as expected.
I would expect other scanners to work as expected also.
It does not cover mailserver installation or configuration.
Fortunately, it is not so. I tested the setup and found that the mail client of Mozilla 1.5 can perfecly use the smtps server even if you do not have stunnel on the client! In my case I had a https server with client-server authentication using stunnel on the server, and, based on that setup, it took me not more than a minute to setup the new, smtps service.
Stunnel and Mozilla rock!
Thanks for the tip!