| 1 |
******************** |
| 2 |
*** INTRODUCTION *** |
| 3 |
******************** |
| 4 |
|
| 5 |
STARTTLS is the standard (RFC 2487) way of doing SMTP encrypted with |
| 6 |
SSL/TLS. Although it does not provide end-to-end encryption of email |
| 7 |
messages, it can be useful to protect the passwords of an AUTH PLAIN |
| 8 |
login, and possibly to protect mail which will travel a very specific |
| 9 |
route known in advance. |
| 10 |
|
| 11 |
qmail-smtpd doesn't have native support for STARTTLS. Many people run |
| 12 |
qmail for it's extremely good security record, and are reluctant to |
| 13 |
have the security of their mail system depend on the many thousands of |
| 14 |
lines of code in openssl. One way to avoid this is to run a proxy |
| 15 |
which can handle the encryption and the STARTTLS command itself, and |
| 16 |
then have it hand off to the standard qmail-smtpd. Even better is if |
| 17 |
the proxy can run in an environment secured by chroot(), setuid(), and |
| 18 |
setgid(). |
| 19 |
|
| 20 |
That's the approach that this document describes, with stunnel acting |
| 21 |
as the proxy. Basic SMTP/STARTTLS proxy support is already included |
| 22 |
in stunnel, and that support has been extended to do a plaintext proxy |
| 23 |
of the SMTP session if STARTTLS isn't used. stunnel runs chrooted in |
| 24 |
its own directory, as a special user and group. This means that even |
| 25 |
a grievous security error in stunnel or openssl wouldn't allow |
| 26 |
significant access to your system, or even allow interfering with |
| 27 |
mail. |
| 28 |
|
| 29 |
|
| 30 |
******************** |
| 31 |
*** INSTRUCTIONS *** |
| 32 |
******************** |
| 33 |
|
| 34 |
WARNING: These are not for the faint-hearted. They are confusing and |
| 35 |
may not work for you. This is still experimental; if you get stuck, |
| 36 |
email me at <sgifford@suspectclass.com>. |
| 37 |
|
| 38 |
1. Download stunnel-3.22. Apply the patch "stunnel3.22-sg2.patch". |
| 39 |
Compile and install it somewhere. This patch improves the SMTP |
| 40 |
proxy support, adds options to tell it to communicate via an |
| 41 |
already opened file descriptor, adds chroot() support, and improves |
| 42 |
setuid/setgid support; see: |
| 43 |
|
| 44 |
http://www.suspectclass.com/~sgifford/qmail-smtp-tls-proxy/stunnel3.22-sg2.README |
| 45 |
|
| 46 |
for a full description of the patch. |
| 47 |
|
| 48 |
2. Compile and install "makesock.c". |
| 49 |
|
| 50 |
3. Create your service directory for smtp-tls |
| 51 |
|
| 52 |
4. Set up a log directory for smtp-tls. |
| 53 |
|
| 54 |
5. Create a user called "stunnel" with a primary group of "stunnel". |
| 55 |
|
| 56 |
6. Create a directory in your service directory called "ssl". |
| 57 |
|
| 58 |
6a. Copy in your certificate as "stunnel.pem" |
| 59 |
|
| 60 |
6b. Copy in your SSL configuration as openssl.cnf |
| 61 |
|
| 62 |
6c. Create a seed file with "dd if=/dev/random of=seed count=10k" |
| 63 |
or something. |
| 64 |
|
| 65 |
6d/1. Some copies of OpenSSL will require you to create a fake |
| 66 |
'usr/share/ssl' directory, to placate openssl in chroot. |
| 67 |
Something like: |
| 68 |
|
| 69 |
mkdir -p usr/share/ssl |
| 70 |
|
| 71 |
. If your ssl expects to find its configuration elsewhere, |
| 72 |
make that directory instead. |
| 73 |
|
| 74 |
6d/2. If your copy of OpenSSL requires it, make a symlink to |
| 75 |
openssl.cnf from the fake config dir. Something like: |
| 76 |
|
| 77 |
ln -s ../../../openssl.cnf usr/share/ssl/ |
| 78 |
|
| 79 |
should do the trick, if your openssl expects its config file in |
| 80 |
/usr/share/ssl normally. |
| 81 |
|
| 82 |
6e. Set group-ownership of the ssl directory to "stunnel" (leaving |
| 83 |
user-ownership at "root") and permissions to "owner read-write, |
| 84 |
group read, other none" on everything in the ssl directory: |
| 85 |
|
| 86 |
chgrp -R stunnel ssl |
| 87 |
chmod -R u=rwX,g=rX,o= ssl |
| 88 |
|
| 89 |
7. Install the run file "smtp-tls-run" as "run" in your service |
| 90 |
directory. Make sure it's executable. If you've installed the |
| 91 |
modified stunnel somewhere other than /usr/local/bin, add that to |
| 92 |
the PATH near the top. |
| 93 |
|
| 94 |
8. Run the "run" file in the service directory, and find and fix any |
| 95 |
errors. |
| 96 |
|
| 97 |
9. Active the service, perhaps by symlinking it into /service. |
| 98 |
|
| 99 |
|
| 100 |
|
| 101 |
******************* |
| 102 |
*** EXPLANATION *** |
| 103 |
******************* |
| 104 |
|
| 105 |
Here's what the run script does. It expects everything it runs to be |
| 106 |
in your PATH. |
| 107 |
|
| 108 |
First, it gathers up some information from control files and from the |
| 109 |
system user and group database, and gets some hardcoded configuration |
| 110 |
information. |
| 111 |
|
| 112 |
softlimit limits the memory usage for each process to 5 MB. |
| 113 |
|
| 114 |
tcpserver listens on the SMTP port. We continue running as root from |
| 115 |
here (so we can do chroot() and set[ug]id() later), and when we get a |
| 116 |
connection we run... |
| 117 |
|
| 118 |
...makesock. This is a small C program that creates a socket with |
| 119 |
socketpair(), and provides one end of that socket on file descriptor 3 |
| 120 |
to the first program it's asked to run, and the other end on standard |
| 121 |
input and output to the second program it's asked to run. The first |
| 122 |
and second programs are separated by the command line option |
| 123 |
"-makesock_connect_to". |
| 124 |
|
| 125 |
The first program, the STARTTLS proxy, is stunnel. Debugging is |
| 126 |
turned on, since this is still experimental. "-/ ssl" (an option |
| 127 |
added by my patch) asks it to chroot to the "ssl" directory. "-s |
| 128 |
$SSLUID" asks it to change to the stunnel user. "-g $SSLGID" asks it |
| 129 |
to change to the stunnel group. "-i" (an option added by my patch) |
| 130 |
asks it to switch users immediately, instead of after binding to the |
| 131 |
local port for listening (which we don't ask stunnel to do, since |
| 132 |
tcpserver has done it for us). "-R seed" tells it to get the seed for |
| 133 |
the random number generator from the file "seed". "-p stunnel.pem" |
| 134 |
tells it to use the certificate in "stunnel.pem". "-n" smtp-" tells |
| 135 |
it to act as an SMTP proxy, and to act as a plaintext proxy if TLS |
| 136 |
isn't negotiated. "-f" asks it to stay in the foreground and write |
| 137 |
its errors to stderr, perfect for running under supervise! "-F 3" (an |
| 138 |
option added by my patch) asks it to connect to file descriptor 3 (set |
| 139 |
up by makesock) as the plaintext end of the proxy. |
| 140 |
|
| 141 |
The second program is the SMTP server. We first have to change to a |
| 142 |
safer UID than root; in most installations, tcpserver would to this |
| 143 |
for us, but we couldn't do that here (because we needed the ability to |
| 144 |
chroot() and setuid()/setgid() to a different user/group in stunnel), |
| 145 |
so "setuidgid" changes to the "qmaild" user and their primary group. |
| 146 |
stunnel doesn't seem to be very good about passing along CR/LF's |
| 147 |
properly, and rather than fixing that right now, I just threw in |
| 148 |
"fixcrio" to take care of it. Finally, the real qmail-smtpd is run. |
| 149 |
|
| 150 |
************* |
| 151 |
*** NOTES *** |
| 152 |
************* |
| 153 |
|
| 154 |
It is tempting to run this proxy as a simple TCP proxy, but that makes |
| 155 |
authorizing relays by IP address hard. |
| 156 |
|
| 157 |
|
| 158 |
************ |
| 159 |
*** BUGS *** |
| 160 |
************ |
| 161 |
|
| 162 |
* RFC 2487 requires that we restart the SMTP session completely after |
| 163 |
STARTTLS, in particular throwing away the EHLO information we have. |
| 164 |
We don't do that, because: this architecture makes it hard, qmail |
| 165 |
doesn't mind if it gets multiple ehlo commands, and qmail doesn't |
| 166 |
really do much with the ehlo argument anyways. |
| 167 |
|
| 168 |
* STARTTLS is only supported if the first command we get is an EHLO, |
| 169 |
and the second is STARTTLS. |
| 170 |
|
| 171 |
* makesock.c is a single-purpose ugly hack. It should take more |
| 172 |
command-line options, to make it a flexible tool. |
| 173 |
|
| 174 |
* There's no way for the SMTP server to know whether TLS was |
| 175 |
negotiated. This could be useful to, for example, only offer AUTH |
| 176 |
PLAIN authentication after STARTTLS. |
Parent Directory
| 
Revision Log
| 
Revision Graph
