Mercurial > docs > diploma

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/docs/openssl-stunnel.txt	Sat Dec 27 18:47:23 2008 +0100
@@ -0,0 +1,75 @@
+
+ch /usr/share/ssl/misc
+
+create new CA:
+\begin{verbatim}
+	CA.pl -newca
+		country: DE
+		state: schwaben
+		city: Ulm
+		company:
+		section:
+		name:
+		emailaddress:
+\end{verbatim}
+
+generate ssl key:
+\begin{verbatim}
+	CA.pl -newreq
+		... the same questions
+\end{verbatim}
+
+sign request with CA:
+\begin{verbatim}
+	CA.pl -sign
+\end{verbatim}
+
+remove passphrase from private key:
+\begin{verbatim}
+	openssl rsa <newreq.pem >key.pem
+	(to be used by programs automaticly)
+\end{verbatim}
+
+secure:
+\begin{verbatim}
+	chmod 400 *.pem
+	cp newcert.pem /etc/postfix/cert.pem
+	cp key.pem /etc/postfix/key.pem
+	cp demoCA/cacert.pem /etc/postfix/CAcert.pem
+	chmode 400 /etc/postfix/*.pem
+
+	mkdir /etc/stunnel
+	cat newcert.pem key.pem >/etc/stunnel/stunnel.pem
+	chmod 400 /etc/stunnel/stunnel.pem
+	(check /etc/stunnel with `stunnel -V')
+\end{verbatim}
+
+
+set up stunnels for POP, etc:
+\begin{verbatim}
+	nmap localhost
+	stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/stunnel.pem
+	stunnel -d imaps -r localhost:imap -p /etc/stunnel/stunnel.pem
+	nmap localhost
+		pop3s 995
+		imaps 993
+\end{verbatim}
+
+do not use stunnel wit SMTP:
+because all incoming mail would be from 127.0.0.1 !!
+use STARTTLS instead
+
+postfix: main.cf
+\begin{verbatim}
+	smtpd_use_tls = yes
+	smtpd_tls_received_header = no (does not log in received headers)
+
+	smtpd_tls_key_file = /etc/postfix/key.pem
+	smtpd_tls_cert_file = /etc/postfix/cert.pem
+	smtpd_tls_CA_file = /etc/postfix/CAcert.pem
+
+	smtp_use_tls = yes  (use TLS for sending)
+	smtp_tls_key_file = /etc/postfix/key.pem
+	smtp_tls_cert_file = /etc/postfix/cert.pem
+	smtp_tls_CA_file = /etc/postfix/CAcert.pem
+\end{verbatim}