docs/diploma
annotate docs/openssl-stunnel.txt @ 279:3a53d073f593
added a small note
author | meillo@marmaro.de |
---|---|
date | Thu, 15 Jan 2009 16:57:21 +0100 |
parents | 7596cdcfbc1e |
children |
rev | line source |
---|---|
meillo@179 | 1 |
meillo@179 | 2 ch /usr/share/ssl/misc |
meillo@179 | 3 |
meillo@179 | 4 create new CA: |
meillo@179 | 5 \begin{verbatim} |
meillo@179 | 6 CA.pl -newca |
meillo@179 | 7 country: DE |
meillo@179 | 8 state: schwaben |
meillo@179 | 9 city: Ulm |
meillo@179 | 10 company: |
meillo@179 | 11 section: |
meillo@179 | 12 name: |
meillo@179 | 13 emailaddress: |
meillo@179 | 14 \end{verbatim} |
meillo@179 | 15 |
meillo@179 | 16 generate ssl key: |
meillo@179 | 17 \begin{verbatim} |
meillo@179 | 18 CA.pl -newreq |
meillo@179 | 19 ... the same questions |
meillo@179 | 20 \end{verbatim} |
meillo@179 | 21 |
meillo@179 | 22 sign request with CA: |
meillo@179 | 23 \begin{verbatim} |
meillo@179 | 24 CA.pl -sign |
meillo@179 | 25 \end{verbatim} |
meillo@179 | 26 |
meillo@179 | 27 remove passphrase from private key: |
meillo@179 | 28 \begin{verbatim} |
meillo@179 | 29 openssl rsa <newreq.pem >key.pem |
meillo@179 | 30 (to be used by programs automaticly) |
meillo@179 | 31 \end{verbatim} |
meillo@179 | 32 |
meillo@179 | 33 secure: |
meillo@179 | 34 \begin{verbatim} |
meillo@179 | 35 chmod 400 *.pem |
meillo@179 | 36 cp newcert.pem /etc/postfix/cert.pem |
meillo@179 | 37 cp key.pem /etc/postfix/key.pem |
meillo@179 | 38 cp demoCA/cacert.pem /etc/postfix/CAcert.pem |
meillo@179 | 39 chmode 400 /etc/postfix/*.pem |
meillo@179 | 40 |
meillo@179 | 41 mkdir /etc/stunnel |
meillo@179 | 42 cat newcert.pem key.pem >/etc/stunnel/stunnel.pem |
meillo@179 | 43 chmod 400 /etc/stunnel/stunnel.pem |
meillo@179 | 44 (check /etc/stunnel with `stunnel -V') |
meillo@179 | 45 \end{verbatim} |
meillo@179 | 46 |
meillo@179 | 47 |
meillo@179 | 48 set up stunnels for POP, etc: |
meillo@179 | 49 \begin{verbatim} |
meillo@179 | 50 nmap localhost |
meillo@179 | 51 stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/stunnel.pem |
meillo@179 | 52 stunnel -d imaps -r localhost:imap -p /etc/stunnel/stunnel.pem |
meillo@179 | 53 nmap localhost |
meillo@179 | 54 pop3s 995 |
meillo@179 | 55 imaps 993 |
meillo@179 | 56 \end{verbatim} |
meillo@179 | 57 |
meillo@179 | 58 do not use stunnel wit SMTP: |
meillo@179 | 59 because all incoming mail would be from 127.0.0.1 !! |
meillo@179 | 60 use STARTTLS instead |
meillo@179 | 61 |
meillo@179 | 62 postfix: main.cf |
meillo@179 | 63 \begin{verbatim} |
meillo@179 | 64 smtpd_use_tls = yes |
meillo@179 | 65 smtpd_tls_received_header = no (does not log in received headers) |
meillo@179 | 66 |
meillo@179 | 67 smtpd_tls_key_file = /etc/postfix/key.pem |
meillo@179 | 68 smtpd_tls_cert_file = /etc/postfix/cert.pem |
meillo@179 | 69 smtpd_tls_CA_file = /etc/postfix/CAcert.pem |
meillo@179 | 70 |
meillo@179 | 71 smtp_use_tls = yes (use TLS for sending) |
meillo@179 | 72 smtp_tls_key_file = /etc/postfix/key.pem |
meillo@179 | 73 smtp_tls_cert_file = /etc/postfix/cert.pem |
meillo@179 | 74 smtp_tls_CA_file = /etc/postfix/CAcert.pem |
meillo@179 | 75 \end{verbatim} |
meillo@279 | 76 |
meillo@279 | 77 |
meillo@279 | 78 |
meillo@279 | 79 |
meillo@279 | 80 |
meillo@279 | 81 stunnel: |
meillo@279 | 82 $ stunnel -f -p stunnel.pem -l /path/to/smtpd |