How to set up and use encrypted connections with DBmail

You can use STunnel to provide an SSL encrypted connection to the DBmail POP3 and IMAP servers. This will not ensure that the email is encrypted, as it only encrypts the connection between the server and mail client, but it will keep your passwords secure.

Note: This breaks pop-before-smtp functionality. All SSL connections will show up as 127.0.0.1 in your dbmail_pbsp table. DBMail does not yet support STARTTLS. If you need to relay for your imap/pop users you will have to look into SMTP/AUTH.

Note: Stunnel can be a pain to compile from source. It has a wierd psudo sandbox that could confuse beginners quite easily. If at all possible use the package provided by your specific distro.

Setting up the certificate

Before you setup stunnel, you will first need a certificate. One way to generate a self-signed certificate is as follows:

#!/bin/sh

cd /etc/ssl/certs

PEMFILE="servername.foobar.com.pem"

openssl req -new -x509 -nodes -days 365 -out $PEMFILE -keyout $PEMFILE
chmod 600 $PEMFILE
[ -e temp_file ] && rm -f temp_file
dd if=/dev/urandom of=temp_file count=2
openssl dhparam -rand temp_file 512 >> $PEMFILE
ln -sf $PEMFILE `openssl x509 -noout -hash < $PEMFILE`.0

This assumes your certificate will live in /etc/ssl/certs (the debian way), and that your users will connect to servername.foobar.com for either imaps or pop3s.

Secure POP3

For the POP3 Server, we want to take all connections to the POP3S port, decrypt them and send them to the POP3 port on localhost.

for stunnel-3 you will have to run a daemon:

stunnel -a /etc/ssl/certs -p servername.foobar.com.pem -t 300 -d pop3s -r localhost:pop3

Stunnel 4.00 and onward use a config file instead of command line arguments.

in /etc/stunnel/pop3s.conf

accept          = 995
connect         = 110
cert            = /etc/ssl/certs/servername.foobar.com.pem
session         = 14400
TIMEOUTidle     = 14400

in /etc/inetd.conf:

pop3s   stream  tcp     nowait  root    /usr/sbin/stunnel4 stunnel4 /etc/stunnel/pop3s.conf

Secure IMAP

Same deal for the IMAP server, but change the ports:

stunnel -a /etc/ssl/certs -p servername.foobar.com.pem -t 300 -d imaps -r localhost:imap

in /etc/stunnel/imaps.conf:

accept          = 993
connect         = 143
cert            = /etc/ssl/certs/servername.foobar.com.pem
session         = 14400
TIMEOUTidle     = 14400

in /etc/inetd.conf:

imaps   stream  tcp     nowait  root    /usr/sbin/stunnel4 stunnel4 /etc/stunnel/imaps.conf

Secure LDAP

It turns out that if you are running a version of LDAP that has ldap_initialize(), (Which OpenLDAP >= 2.3 does. I'm not certain about 2.2 though.) then you get LDAP over TLS support for free. One can simply leave the HOSTNAME and URI parameters of the dbmail.conf file blank, and then OpenLDAP will use the contents of /etc/openldap/ldap.conf. If one puts the following in that file:

URI ldaps://ldap_host1 ldaps://ldap_host2

then DBMail will try to connect to the LDAP over SSL ports (port 636) on ldap_host1 and ldap_host2, in that order. And this is all courtesy of the OpenLDAP library.

Now one could put the following into the LDAP section of the dbmail.conf file:

URI = ldaps://ldap_host3 ldaps://ldap_host4

if you wanted DBMail to use different LDAP servers from the system default ones.

If you're version of OpenLDAP does not have the ldap_initialize() function and only has the ldap_init() function, you can also use stunnel to establish secure connections to your LDAP server as a client. Assuming that you have a LDAP server running over TLS on port 636 on a machine named ldap_host, then you would put the following in /etc/stunnel/ldap.conf:

CAfile = /path/to/file/cacert/list
client = yes
accept = 389
connect = ldap_host:636

You would then tell DBMail to connect to localhost on port 389 for LDAP. Note that since we are running as a client, we do not need a certificate. Rather, we a list of CAs for LDAP server verification. For stunnel 3.x and earlier, you would use:

stunnel -c -d 389 -r ldap_host:636

Note that this stunnel method will work even if you have a more recent version of OpenLDAP as well.


CentOS 4.2

xinetd and stunnel configuration is slightly differs.

Secure IMAP

in /etc/xinetd.d/imaps

# default: off
# description: The IMAPS redirector allows client software which does not have \
#              native support for SSL to connect to the local machine's IMAP \
#              port and have the connection forwarded over the network using \
#              SSL.  You will need to modify stunnel-imaps-client.conf to \
#              specify the server to connect to in order for this to be useful.
service imaps
{
        disable = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/stunnel
        server_args             = /etc/stunnel/imaps.conf
}

in /etc/stunnel/imaps.conf

verify = 1
cert = /etc/ssl/certs/domain.cert.pem
connect = 143

Secure POP3

in /etc/xinetd.d/pop3s

service pop3s
{
        disable = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/stunnel
        server_args             = /etc/stunnel/pop3s.conf
}

in /etc/stunnel/pop3s.conf

verify = 1
cert = /etc/ssl/certs/domain.cert.pem
connect = 110

Secure SMTP

in /etc/xinetd.d/ssmtp

# default: off
# description: The SMTPS redirector allows client software which does not have \
#              native support for SSL to connect to the local machine's SMTPS \
#              port and have the connection forwarded over the network using \
#              SSL.  You will need to modify stunnel-ssmtp-client.conf to \
#              specify the server to connect to in order for this to be useful.
service smtps
{
        disable = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/stunnel
        server_args             = /etc/stunnel/stunnel-ssmtp-client.conf
#       log_on_success          += USERID
#       log_on_failure          += USERID
}

in /etc/stunnel/stunnel-ssmtp-client.conf

CAfile = /etc/stunnel/example.com
connect = 25
 
stunnel.txt · Last modified: 2012/02/27 21:29 by bas
 
DBMail is developed by Paul J Stevens together with developers world-wide