I would like to run the stunnel4 daemon in order to provide a pop3s service by using a pop server (solid-pop3d). The following configuration file doesn't work (the pop3 server doesn't start, I think) and I would like to ask for any hints.
--stunnel.conf>>>
cert = /etc/stunnel/stunnel4.pem
sslVersion = SSLv3
[pop3s] accept = 995 exec = /usr/sbin/solid-pop3d execargs = solid-pop3d
<<<stunnel.conf--
I would expect stunnel4 to start up solid-pop3d every time someone connects to port 995 and communicate to solid-pop3d, just like inetd would do, if configured to serve solid-pop3d.
By the way, I have opened the service "pop3s" in /etc/hosts.allow.
Thanks in advance for any help.
2011/5/19 Jörg-Volker Peetz jvpeetz@web.de
I would expect stunnel4 to start up solid-pop3d every time someone connects
to port 995 and communicate to solid-pop3d, just like inetd would do, if configured to serve solid-pop3d.
This may sound obvious, but does the log file say anything?
~Yousef
The relevant entries in the log file seem to me:
2011.05.19 14:02:39 LOG6[12493:140165894280960]: SSL accepted: new session negotiated 2011.05.19 14:02:39 LOG6[12493:140165894280960]: Negotiated ciphers: DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 2011.05.19 14:02:39 LOG7[12493:140165894280960]: socket#1: FD=1 allocated (non-blocking mode) 2011.05.19 14:02:39 LOG7[12493:140165894280960]: socket#2: FD=2 allocated (non-blocking mode) 2011.05.19 14:02:39 LOG3[12493:140165894280960]: connect: Operation now in progress (115) 2011.05.19 14:02:39 LOG5[12493:140165894280960]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.05.19 14:02:39 LOG7[12493:140165894280960]: Service pop3s finished (0 left)
So, nothing relevant?
On Thu, May 19, 2011 at 12:59:41 +0200, Jörg-Volker Peetz wrote:
I would like to run the stunnel4 daemon in order to provide a pop3s service by using a pop server (solid-pop3d). The following configuration file doesn't work (the pop3 server doesn't start, I think) and I would like to ask for any hints.
--stunnel.conf>>>
cert = /etc/stunnel/stunnel4.pem
sslVersion = SSLv3
[pop3s] accept = 995 exec = /usr/sbin/solid-pop3d execargs = solid-pop3d
<<<stunnel.conf--
I would expect stunnel4 to start up solid-pop3d every time someone connects to port 995 and communicate to solid-pop3d, just like inetd would do, if configured to serve solid-pop3d.
By the way, I have opened the service "pop3s" in /etc/hosts.allow.
Thanks in advance for any help. [...]
Does /etc/hosts.allow contain an entry for solid-pop3d permitting connections from localhost?
Cheers, rlr
Ross Richardson wrote, on 05/20/11 01:02:
<snip>
Does /etc/hosts.allow contain an entry for solid-pop3d permitting connections from localhost?
Cheers, rlr
I've put "pop3s", the name of the service in the stunnel config file, into /etc/hosts.allow. "solid-pop3d" itself is not linked against libwrap. By the way, if I let "solid-pop3d" run as a daemon itself and use
connect = 100
instead of
exec = /usr/sbin/solid-pop3d execargs = solid-pop3d
in the config file the "pop3s" service works. But, as I said, "solid-pop3d" itself is not linked against libwrap and , therefor, accepts connections to port 110 from every host. To avoid this without running inetd with tcpd, I wanted stunnel to do the job of starting the pop3-server. From what I understood from the documentation, it should be possible.
On 05/20/2011 09:42 AM, Jörg-Volker Peetz wrote:
By the way, if I let "solid-pop3d" run as a daemon itself and use connect = 100 instead of exec = /usr/sbin/solid-pop3d execargs = solid-pop3d in the config file the "pop3s" service works. But, as I said, "solid-pop3d" itself is not linked against libwrap and , therefor, accepts connections to port 110 from every host.
(FWIW, in case you can't get things running the way you want, *this* problem should be rather trivial to solve; even if you cannot configure solid-pop3d to listen on 127.0.0.1:110 instead of 0.0.0.0:110, the host firewall ("iptables" in current Linux) can make short work of external connection attempts.)
Kind regards, J. Bern
Jochen Bern wrote, on 05/20/11 09:58: <snip>
(FWIW, in case you can't get things running the way you want, *this* problem should be rather trivial to solve; even if you cannot configure solid-pop3d to listen on 127.0.0.1:110 instead of 0.0.0.0:110, the host firewall ("iptables" in current Linux) can make short work of external connection attempts.)
Kind regards, J. Bern
Yes indeed, that's also a resort. But I would like the minimalist solution ;-) Which is, stunnel provides ssl security plus (small) firewall for pop3.
Also, I have the impression from the documentation that stunnel advertises to be able to provide this functionality. Maybe I've hit a bug in stunnel? Debian has a similar bug report #626856. I could provide further information on the problem I encounter, if required.
On Fri, May 20, 2011 at 11:14:22 +0200, Jörg-Volker Peetz wrote:
[...] Also, I have the impression from the documentation that stunnel advertises to be able to provide this functionality. Maybe I've hit a bug in stunnel? [...]
I seem to recall having tried it (successfully) in the past.
Just another obvious suggestion: if using chroot, /usr/sbin/solid-pop3d is within the chroot hierarchy, isn't it?
rlr
Yes, I also read in the Debian bug report #626856 that a bug was introduced with a recent version ov stunnel4. I haven't used chroot in my configuration, and I also read in the documentation that the service to be executed has to be located relative to the chroot directory.
-
Jochen Bern -
Jörg-Volker Peetz -
Ross Richardson -
Yousef Alhashemi