stunnel: SSL-to-SSL? (for smtp/imap)

Question

How can I configure stunnel to accpet SSL connections, and connect then to an SSL port on a different server?

Here is my setup:

Our ISP's server, "Mail Server", supports smtp/imap over SSL. (Not starttls. Just over ssl.)

But, I have a bunch of client machines that will only trust a specific, internal, root certificate. Thus, they can not connect to "Mail Server".

For these client machines, I'd like to make a dedicated "Mail Tunnel" host that uses stunnel to listen with an in-house signed SSL certificate, and just forward data to "Mail Server" using a 2nd SSL connection.

Can this be done?

What would be the specific steps for Ubuntu Server 10.10? (I'm not too familiar with persistent service configuration.)

Thank you

Answer 1

I am not familiar with the specifics of 10.10, but I am going to assume that it is pretty close to Debian.

One thing you could do, is basically setup to separate stunnel configurations. On that accepts SSL, and forwards it to a local port, and another that listens on that local port, and then makes SSL connections to the external host. These two can be bound to the loopback interface only so unencrypted data will not cross the network. Just keep in mind that you are basically performing a MITM attack against yourself. I used a setup like this while I was helping diagnose some issues with a web service a guy was developing.

The packaged version of stunnel in Debian/Ubuntu should make this easy. The startup scripts will basically start an instance of stunnel for every configuration file (*.conf) found in /etc/stunnel4. So you can put the two separate configurations in /etc/stunnel4, generate your keys, restart stunnel and it should work.

So here is the first config that accepts the SSL

; /etc/stunnel/ssl_in.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/srv1.keys

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside chroot jail
pid = /srv1.pid

debug = 4
output = /var/log/stunnel4/ssl_in.log

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[ssl_in_imap]
accept  = 993
connect = localhost:10993

[ssl_in_smtp]
accept  = 587
connect = localhost:10587

Your second instance that creates outgoing connections.

; /etc/stunnel/ssl_out.conf
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside chroot jail
pid = /clt1.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

client=yes
CAfile = clt1.ca
verify = 0


[ssl_out_imap]
accept  = 10993
connect = remote_server:993

[ssl_out_smtp]
accept  = 10587
connect = remote_server:10587

To generate the filename.keys for the server.

# Create a new key and preparte a CSR 
openssl req -new -keyout filename.pem -out filename.csr
# Remove the passphrase from the key
openssl rsa -in filename.pem -out filename.key
# Self sign
openssl x509 -in filename.csr -out filename.cert -req -signkey filename.key -days 720
# combine files to get the keys file stunnel needs.
cat filename.key filename.cert > filename.keys

Your file will look like this.

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDkwzyKrPRXGyvEgITm/7oC9fDU4Y7L9mtMXmcIR98cp0g1ndcz
...
qhP3y97k67EVdSC+92pIGrAL7kBWckpJ2HP1El4KeZg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICHzCCAYgCCQDq/33qh7Dq5TANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJV
...
ebbhvhYLx1KkhD8/dXEbU0+kNg==
-----END CERTIFICATE-----