HowTo: Sicherer Mailversand und Empfang mit stunnel

[sascha]

Stunnel installieren

Code: Select all

rpm -Uhv http://update.pureserver.info/suse/7.2/suse/sec2/stunnel.rpm

Konfigurationsdatei für OpenSSL kopieren

Code: Select all

cp /usr/share/doc/packages/stunnel/stunnel.cnf /etc/stunnel

Neues CA-Zertifikat erstellen:

Code: Select all

/usr/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /usr/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...........++++++
................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bundesland
Locality Name (eg, city) []:Stadt
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:deinedomain.tld
Email Address []:ca@deinedomain.tld

Zertifikat zum downloaden bereitstellen:

Code: Select all

openssl x509 -in demoCA/cacert.pem -out capub.crt -outform DER
cp capub.crt /home/www/web1/html/

HTML Code für den Download Link:

Code: Select all

<a href="capub.crt" type="application/x-x509-ca-cert">CA-Zertifikat</a>

Zertifizierungsanfrage erstellen:

Code: Select all

openssl req -new -days 365 -nodes -config /etc/stunnel/stunnel.cnf -out certreq.pem -keyout stunnel.pem
Using configuration from /etc/stunnel/stunnel.cnf
Generating a 1024 bit RSA private key
...........++++++
............................++++++
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:DE
State or Province Name (full name) [Some-State]:Bundesland
Locality Name (eg, city) []:Stadt
Organization Name (eg, company) [Stunnel Developers Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (FQDN of your server) [localhost]:mail.deinedomain.tld  (Diese Domain muss später im E-Mail Client als Mailserver eingetragen werden!)

Zertifizierungsanfrage signieren:

Code: Select all

mv certreq.pem newreq.pem
/usr/ssl/misc/CA.sh -sign
Using configuration from /usr/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bundesland'
localityName          :PRINTABLE:'Stadt'
commonName            :PRINTABLE:'mail.deinedomain.tld'
Certificate is to be certified until Dec 27 20:01:32 2003 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, ST=Bundesland, L=Stadt, CN=deinedomain.tld/Email=ca@deinedomain.tld
        Validity
            Not Before: Dec 27 20:01:32 2002 GMT
            Not After : Dec 27 20:01:32 2003 GMT
        Subject: C=DE, ST=Bundesland, L=Stadt, CN=mail.deinedomain.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c6:9f:5b:d1:8b:b0:39:58:18:fc:27:0b:b2:a6:
                    ab:b8:8b:3b:f3:f0:91:cf:fd:3f:30:3b:2f:6b:9b:
                    60:ca:a5:ae:73:aa:83:5b:e9:50:9e:da:63:d2:3d:
                    43:5f:84:42:62:28:a4:3f:85:c1:da:03:fc:c9:ec:
                    52:13:2e:52:b0:b4:e2:e0:c6:c0:4c:1a:c3:06:06:
                    43:e8:78:c3:8c:47:48:87:45:bf:b1:be:e4:97:61:
                    1c:b8:8d:a9:d6:fa:fd:d3:0f:02:04:f2:b2:08:dd:
                    11:be:29:59:38:23:35:bd:65:eb:25:de:e9:74:c3:
                    3a:79:60:d0:74:03:43:05:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                EE:D6:14:F1:F4:09:08:F8:65:FD:DE:FF:6C:6E:2C:77:5E:3E:1A:50
            X509v3 Authority Key Identifier:
                keyid:0B:72:AB:C4:51:7C:D1:92:87:4B:5D:29:65:B0:50:70:0B:25:82:13
                DirName:/C=DE/ST=Bundesland/L=Stadt/CN=deinedomain.tld/Email=ca@deinedomain.tld
                serial:00

    Signature Algorithm: md5WithRSAEncryption
        00:3c:e1:f8:83:9c:8e:33:ff:82:d9:d5:36:55:fa:a3:f4:ff:
        7c:34:19:24:1b:85:b9:0f:31:f2:b9:37:9c:80:44:9b:14:68:
        be:3f:77:b1:1a:a8:29:1e:d0:70:2b:11:ad:05:76:54:a3:aa:
        99:63:88:44:6a:7f:c1:52:76:06:c3:00:c0:22:b1:2d:a4:bc:
        39:b1:b9:87:9f:4b:a3:84:bd:33:91:7a:f3:b6:56:e3:59:c4:
        1d:ae:82:48:33:84:47:59:1c:e1:d4:a3:97:4e:df:34:a8:49:
        ad:c5:77:52:bb:aa:39:eb:90:a3:00:2f:dd:40:14:d9:0b:5b:
        46:f0
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIBATANBgkqhkiG9w0BAQQFADBqMQswCQYDVQQGEwJERTEP
MA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZGdWVydGgxFzAVBgNVBAMTDnNlcnZl
cjRjYXNoLmRlMSAwHgYJKoZIhvcNAQkBFhFjYUBzZXJ2ZXI0Y2FzaC5kZTAeFw0w
MjEyMjcyMDAxMzJaFw0wMzEyMjcyMDAxMzJaME0xCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIEwZCYXllcm4xDzANBgNVBAcTBkZ1ZXJ0aDEcMBoGA1UEAxMTbWFpbC5zZXJ2
ZXI0Y2FzaC5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxp9b0YuwOVgY
/CcLsqaruIs78/CRz/0/MDsva5tgyqWuc6qDW+lQntpj0j1DX4RCYiikP4XB2gP8
yexSEy5SsLTi4MbATBrDBgZD6HjDjEdIh0W/sb7kl2EcuI2p1vr90w8CBPKyCN0R
vilZOCM1vWXrJd7pdMM6eWDQdANDBS0CAwEAAaOB8jCB7zAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU7tYU8fQJCPhl/d7/bG4sd14+GlAwgZQGA1UdIwSBjDCBiYAUC3KrxFF8
0ZKHS10pZbBQcAslghOhbqRsMGoxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXll
cm4xDzANBgNVBAcTBkZ1ZXJ0aDEXMBUGA1UEAxMOc2VydmVyNGNhc2guZGUxIDAe
BgkqhkiG9w0BCQEWEWNhQHNlcnZlcjRjYXNoLmRlggEAMA0GCSqGSIb3DQEBBAUA
A4GBAAA84fiDnI4z/4LZ1TZV+qP0/3w0GSQbhbkPMfK5N5yARJsUaL4/d7EaqCke
0HArEa0FdlSjqpljiERqf8FSdgbDAMAisS2kvDmxuYefS6OEvTORevO2VuNZxB2u
gkgzhEdZHOHUo5dO3zSoSa3Fd1K7qjnrkKMAL91AFNkLW0bw
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Den kompletten Block von -----BEGIN CERTIFICATE----- bis einschließlich -----END CERTIFICATE----- kopieren und am Ende der Datei stunnel.pem einfügen.

Zugriffsrechte anpassen und Zertifikat an die richtige Stelle kopieren

Code: Select all

chmod 600 stunnel.pem
cp stunnel.pem /etc/stunnel/

Das Zertifikat ist jetzt einsatzbereit!


Hier noch ein Beispiel um SMTP und POP3 zu verschlüsseln:

/etc/services ergänzen:

Code: Select all

[...]
smtps           465/tcp                 # smtp protocol over TLS/SSL
smtps           465/udp                 # smtp protocol over TLS/SSL
[...]

/etc/inetd.conf:

Code: Select all

pop3s  stream  tcp     nowait  root    /usr/sbin/stunnel -d pop3s -r localhost:pop3
smtps  stream  tcp     nowait  root    /usr/sbin/stunnel -d smtps -r localhost:smtp

Code: Select all

rcinetd restart

Jetzt sollte man sowohl mit als auch ohne Verschlüsselung E-Mails abrufen und versenden können. Für weitere Infos empfehle ich die wirklich ausführliche (leider nur englischsprachige) Dokumentation unter http://www.stunnel.org

[dspeicher]

sauber! *klatsch*

[bernostern]

Hallo,

Kann ich das so für Debian und Postfix übernehmen? Also mit kleinen Ã?nderungen, klar.
Sehe da das Problem, das Postfix ja nicht von inetd gestartet wird...

Danke und Gruß,
Bern