docs/diploma
annotate docs/openssl-stunnel.txt @ 409:ca763bd8c809
Added tag final version which I handed in for changeset ee7211546c02
| author | meillo@marmaro.de |
|---|---|
| date | Wed, 11 Feb 2009 08:55:32 +0100 |
| parents | 7596cdcfbc1e |
| children |
| rev | line source |
|---|---|
| meillo@179 | 1 |
| meillo@179 | 2 ch /usr/share/ssl/misc |
| meillo@179 | 3 |
| meillo@179 | 4 create new CA: |
| meillo@179 | 5 \begin{verbatim} |
| meillo@179 | 6 CA.pl -newca |
| meillo@179 | 7 country: DE |
| meillo@179 | 8 state: schwaben |
| meillo@179 | 9 city: Ulm |
| meillo@179 | 10 company: |
| meillo@179 | 11 section: |
| meillo@179 | 12 name: |
| meillo@179 | 13 emailaddress: |
| meillo@179 | 14 \end{verbatim} |
| meillo@179 | 15 |
| meillo@179 | 16 generate ssl key: |
| meillo@179 | 17 \begin{verbatim} |
| meillo@179 | 18 CA.pl -newreq |
| meillo@179 | 19 ... the same questions |
| meillo@179 | 20 \end{verbatim} |
| meillo@179 | 21 |
| meillo@179 | 22 sign request with CA: |
| meillo@179 | 23 \begin{verbatim} |
| meillo@179 | 24 CA.pl -sign |
| meillo@179 | 25 \end{verbatim} |
| meillo@179 | 26 |
| meillo@179 | 27 remove passphrase from private key: |
| meillo@179 | 28 \begin{verbatim} |
| meillo@179 | 29 openssl rsa <newreq.pem >key.pem |
| meillo@179 | 30 (to be used by programs automaticly) |
| meillo@179 | 31 \end{verbatim} |
| meillo@179 | 32 |
| meillo@179 | 33 secure: |
| meillo@179 | 34 \begin{verbatim} |
| meillo@179 | 35 chmod 400 *.pem |
| meillo@179 | 36 cp newcert.pem /etc/postfix/cert.pem |
| meillo@179 | 37 cp key.pem /etc/postfix/key.pem |
| meillo@179 | 38 cp demoCA/cacert.pem /etc/postfix/CAcert.pem |
| meillo@179 | 39 chmode 400 /etc/postfix/*.pem |
| meillo@179 | 40 |
| meillo@179 | 41 mkdir /etc/stunnel |
| meillo@179 | 42 cat newcert.pem key.pem >/etc/stunnel/stunnel.pem |
| meillo@179 | 43 chmod 400 /etc/stunnel/stunnel.pem |
| meillo@179 | 44 (check /etc/stunnel with `stunnel -V') |
| meillo@179 | 45 \end{verbatim} |
| meillo@179 | 46 |
| meillo@179 | 47 |
| meillo@179 | 48 set up stunnels for POP, etc: |
| meillo@179 | 49 \begin{verbatim} |
| meillo@179 | 50 nmap localhost |
| meillo@179 | 51 stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/stunnel.pem |
| meillo@179 | 52 stunnel -d imaps -r localhost:imap -p /etc/stunnel/stunnel.pem |
| meillo@179 | 53 nmap localhost |
| meillo@179 | 54 pop3s 995 |
| meillo@179 | 55 imaps 993 |
| meillo@179 | 56 \end{verbatim} |
| meillo@179 | 57 |
| meillo@179 | 58 do not use stunnel wit SMTP: |
| meillo@179 | 59 because all incoming mail would be from 127.0.0.1 !! |
| meillo@179 | 60 use STARTTLS instead |
| meillo@179 | 61 |
| meillo@179 | 62 postfix: main.cf |
| meillo@179 | 63 \begin{verbatim} |
| meillo@179 | 64 smtpd_use_tls = yes |
| meillo@179 | 65 smtpd_tls_received_header = no (does not log in received headers) |
| meillo@179 | 66 |
| meillo@179 | 67 smtpd_tls_key_file = /etc/postfix/key.pem |
| meillo@179 | 68 smtpd_tls_cert_file = /etc/postfix/cert.pem |
| meillo@179 | 69 smtpd_tls_CA_file = /etc/postfix/CAcert.pem |
| meillo@179 | 70 |
| meillo@179 | 71 smtp_use_tls = yes (use TLS for sending) |
| meillo@179 | 72 smtp_tls_key_file = /etc/postfix/key.pem |
| meillo@179 | 73 smtp_tls_cert_file = /etc/postfix/cert.pem |
| meillo@179 | 74 smtp_tls_CA_file = /etc/postfix/CAcert.pem |
| meillo@179 | 75 \end{verbatim} |
| meillo@279 | 76 |
| meillo@279 | 77 |
| meillo@279 | 78 |
| meillo@279 | 79 |
| meillo@279 | 80 |
| meillo@279 | 81 stunnel: |
| meillo@279 | 82 $ stunnel -f -p stunnel.pem -l /path/to/smtpd |