Re: [cobalt-security] stunnel and outlook

[Eric Thern <security@xxxxxxxxxxx>]

	Using stunnel you have to use the -T option:

    -T  transparent proxy mode

           Re-write address to appear as if wrapped daemon is
           connecting from the SSL client machine instead of the
           machine running stunnel. Available only on some
           operating systems (Linux only, we believe) and then
           only in server mode. Note that this option will not
           combine with proxy mode (-r) unless the client's
           default route to the target machine lies through the
           host running stunnel, which cannot be localhost.

This is what I use on my raq4i :

/usr/local/sbin/stunnel -T -d simap -l /usr/sbin/imapd -p /etc/stunnel.pem
/usr/local/sbin/stunnel -T -d spop3 -l /usr/sbin/in.qpopper -p /etc/stunnel.pem


- Eric


> > I Still have to resolve pop-before-smtp which does not sork with spop3.
>
>
> I think that you will have to use pop/imap server with native
> SSL to use pop before smtp.  Stunnel proxies incoming
> connections to the pop/imap server so that the latter think
> that the connection comes from localhost (or over stdin,
> depending on stunnel setup).  In either way, pop/imap
> daemon has no way to tell the real client's IP address
> and therefore pop-before-smtp cannot work.
>
> Building UW imapd with SSL support on a RaQ is pretty
> straightforward.  In any case easier than building sendmail
> with SMPT AUTH and SSL which is the alternative ;-)
>
> Eugene
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security