|
179
|
1
|
|
|
2 ch /usr/share/ssl/misc
|
|
|
3
|
|
|
4 create new CA:
|
|
|
5 \begin{verbatim}
|
|
|
6 CA.pl -newca
|
|
|
7 country: DE
|
|
|
8 state: schwaben
|
|
|
9 city: Ulm
|
|
|
10 company:
|
|
|
11 section:
|
|
|
12 name:
|
|
|
13 emailaddress:
|
|
|
14 \end{verbatim}
|
|
|
15
|
|
|
16 generate ssl key:
|
|
|
17 \begin{verbatim}
|
|
|
18 CA.pl -newreq
|
|
|
19 ... the same questions
|
|
|
20 \end{verbatim}
|
|
|
21
|
|
|
22 sign request with CA:
|
|
|
23 \begin{verbatim}
|
|
|
24 CA.pl -sign
|
|
|
25 \end{verbatim}
|
|
|
26
|
|
|
27 remove passphrase from private key:
|
|
|
28 \begin{verbatim}
|
|
|
29 openssl rsa <newreq.pem >key.pem
|
|
|
30 (to be used by programs automaticly)
|
|
|
31 \end{verbatim}
|
|
|
32
|
|
|
33 secure:
|
|
|
34 \begin{verbatim}
|
|
|
35 chmod 400 *.pem
|
|
|
36 cp newcert.pem /etc/postfix/cert.pem
|
|
|
37 cp key.pem /etc/postfix/key.pem
|
|
|
38 cp demoCA/cacert.pem /etc/postfix/CAcert.pem
|
|
|
39 chmode 400 /etc/postfix/*.pem
|
|
|
40
|
|
|
41 mkdir /etc/stunnel
|
|
|
42 cat newcert.pem key.pem >/etc/stunnel/stunnel.pem
|
|
|
43 chmod 400 /etc/stunnel/stunnel.pem
|
|
|
44 (check /etc/stunnel with `stunnel -V')
|
|
|
45 \end{verbatim}
|
|
|
46
|
|
|
47
|
|
|
48 set up stunnels for POP, etc:
|
|
|
49 \begin{verbatim}
|
|
|
50 nmap localhost
|
|
|
51 stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/stunnel.pem
|
|
|
52 stunnel -d imaps -r localhost:imap -p /etc/stunnel/stunnel.pem
|
|
|
53 nmap localhost
|
|
|
54 pop3s 995
|
|
|
55 imaps 993
|
|
|
56 \end{verbatim}
|
|
|
57
|
|
|
58 do not use stunnel wit SMTP:
|
|
|
59 because all incoming mail would be from 127.0.0.1 !!
|
|
|
60 use STARTTLS instead
|
|
|
61
|
|
|
62 postfix: main.cf
|
|
|
63 \begin{verbatim}
|
|
|
64 smtpd_use_tls = yes
|
|
|
65 smtpd_tls_received_header = no (does not log in received headers)
|
|
|
66
|
|
|
67 smtpd_tls_key_file = /etc/postfix/key.pem
|
|
|
68 smtpd_tls_cert_file = /etc/postfix/cert.pem
|
|
|
69 smtpd_tls_CA_file = /etc/postfix/CAcert.pem
|
|
|
70
|
|
|
71 smtp_use_tls = yes (use TLS for sending)
|
|
|
72 smtp_tls_key_file = /etc/postfix/key.pem
|
|
|
73 smtp_tls_cert_file = /etc/postfix/cert.pem
|
|
|
74 smtp_tls_CA_file = /etc/postfix/CAcert.pem
|
|
|
75 \end{verbatim}
|
|
279
|
76
|
|
|
77
|
|
|
78
|
|
|
79
|
|
|
80
|
|
|
81 stunnel:
|
|
|
82 $ stunnel -f -p stunnel.pem -l /path/to/smtpd
|
