How-To Install Stunnel to SSL encrypt your pop3, imap and sendmail
by Kevin A. McGrail
kevin@mcgrail.com


Over the past few years, we've used Stunnel to help keep our clear-text password
POP3 and IMAP ports secure.  And if you have read our sendmail setup, you'll know
that remote users are a big part of what I am trying to solve.

Therefore, as of 5-20-2003, here is our recommended solution to install a mail
server that can be as secure as feasible with normal, non-technical users all over
the world.

Step 1:
	Install sendmail and utilize what is known as POP before SMTP which requires
        a user check their mail via IMAP or POP and then adds them dynamically to a
        time based database which will allow them to relay off your mail server.

Step 2: 
	Install sendmail with STARTTLS configured

	NOTE: Steps 1 & 2 are both covered by following the instructions at
              http://www.peregrinehw.com/downloads/ under sendmail

Step 3:
	Install stunnel and configure it in Transparent proxy mode for IMAP and POP.
        DO NOT TUNNEL SMTP WITH STUNNEL.  You really have to switch to STARTTLS to
        make this plan work.

Step 4:
	Instruct your clients to check on the appropriate check boxes to use SSL. 
        You can see Peregrine Hardware's example at our website www.peregrinehw.com
        under the Customer Support section.

#PRE-REQs: OpenSSL


STUNNEL v3.X
cd /files
wget http://www.peregrinehw.com/downloads/stunnel/stunnel-3.26.tar.gz
wget http://www.peregrinehw.com/downloads/stunnel/stunnel.cnf

#05-20-2003: UPGRADE to STUNNEL 3.24 for RSA BLINDING BY DEFAULT
#08-02-2003: UPGRADE to STUNNEL 3.25 to prevent DoS attack 
#09-02-2003: UPGRADE to STUNNEL 3.26 for bug reasons
cd /usr/src
tar zxvf /files/stunnel-3.26.tar.gz
cd stunnel-3.26
./configure --with-ssl=/usr/local/ssl
make 
make install

#1. EDIT THE STUNNEL.CNF FILE PROVIDED
vi stunnel.cnf

#2. MAKE YOUR OWN STUNNEL CERTIFICATE SO THAT Outlook Express v5.5 SP2 and higher won't give errors.
/usr/local/ssl/bin/openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem -config stunnel.cnf

#3 VISUALLY CONFIRM CERTIFICATE
/usr/local/ssl/bin/openssl x509 -subject -dates -fingerprint -noout -in stunnel.pem

#4 ALL CLIENTS USING WINDOWS SHOULD DOWNLOAD THIS CERTIFICATE (i.e. go to a web link and click on it).  
#  THEN CLICK OPEN AND THE CERTIFICATE MANAGER WILL RUN.  ACCEPT ALL DEFAULTS AND CLICK YES TO INSTALL.  
#  NO MORE ERRORS FROM OUTLOOK!

#5 FIX SECURITY ON PEM AND COPY TO PROPER LOCATION
chmod 400 stunnel.pem
mv /usr/src/stunnel-3.26/stunnel.pem /usr/local/ssl/certs

#6 INSTALL AN INIT SCRIPT AND SET TO START IN RUNLEVEL 3
cd /etc/rc.d/init.d
wget http://www.peregrinehw.com/downloads/stunnel/stunneld
chmod +x /etc/rc.d/init.d/stunneld

cd /etc/rc.d/rc3.d; ln -s ../init.d/stunneld S81stunneld
cd /etc/rc.d/rc0.d; ln -s ../init.d/stunneld K29stunneld

#I USED TO RESTART STUNNEL DAILY 
#cd /etc/cron.daily
#wget http://www.peregrinehw.com/downloads/stunnel/restartstunnel
#chmod +x /etc/cron.daily/restartstunnel


NOTE: Using an older version of linux and can't get the stunnel daemon to work in the background?  Try using version 4 with ./configure --with-threads=fork!


STUNNEL v4.X
cd /files
wget http://www.peregrinehw.com/downloads/stunnel/stunnel-4.26.tar.gz

cd /usr/src
tar zxvf /files/stunnel-4.26.tar.gz
cd stunnel-4.26
./configure --with-ssl=/usr/local/ssl
make
make install

#1. EITHER USE THE CERT CREATED ABOVE OR EDIT THE STUNNEL.CNF FILE PROVIDED AND CREATE YOUR OWN
cd tools
vi stunnel.cnf

#1a. MAKE YOUR OWN STUNNEL CERTIFICATE SO THAT Outlook Express v5.5 SP2 and higher won't give errors.
/usr/local/ssl/bin/openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem -config stunnel.cnf

#1b. VISUALLY CONFIRM CERTIFICATE
/usr/local/ssl/bin/openssl x509 -subject -dates -fingerprint -noout -in stunnel.pem

#1c. ALL CLIENTS USING WINDOWS SHOULD DOWNLOAD THIS CERTIFICATE (i.e. go to a web link and click on it).
#  THEN CLICK OPEN AND THE CERTIFICATE MANAGER WILL RUN.  ACCEPT ALL DEFAULTS AND CLICK YES TO INSTALL.
#  NO MORE ERRORS FROM OUTLOOK!  OR SIGN WITH SELF-SIGNED CA.

#1d. FIX SECURITY ON PEM AND COPY TO PROPER LOCATION - NOTE: you can also place the cert in /usr/local/etc/stunnel
chmod 400 stunnel.pem
mv stunnel.pem /usr/local/ssl/certs

#2 INSTALL AN INIT SCRIPT AND SET TO START IN RUNLEVEL 3
cp stunnel.init /etc/rc.d/init.d/stunneld
chmod +x /etc/rc.d/init.d/stunneld

cd /etc/rc.d/rc3.d; ln -s ../init.d/stunneld S81stunneld
cd /etc/rc.d/rc0.d; ln -s ../init.d/stunneld K29stunneld

#3 CONFIGURE STUNNEL
mv /usr/local/etc/stunnel/stunnel.conf-sample /usr/local/etc/stunnel/stunnel.conf
vi /usr/local/etc/stunnel/stunnel.conf

#4 STUNNEL.CONF CHANGES:

# Change pid = /var/run/stunnel.pid and change stunneld init script to match