[stunnel-users] re: Problem with certificates using smtp/pop

[David Chase]

I tried sending directly to you, I must have looked like a spammer.
I am ever so slightly pleased to see that I have some company in
my frustration with this software.  I'll try to help, since the
experts seem to be too busy.  I've only used it twice, and it was
painful both times.

Have you gotten it to work at all?
That is, what do you see?  Do you get a running stunnel process?

Do you have (with permissions)

ls -l /usr/local/etc/stunnel/mail.pem
-rw-------   1 root  staff  2233 Jan  5 17:25 /usr/local/etc/stunnel/ 
mail.pem

I created it by running this command in that directory:

sudo openssl req -new -out mail.pem -keyout mail.pem -nodes -x509 - 
days 365

I created a stupid certificate, because at some point it looked like
it was asking me for my name (David Chase) when what they wanted was my
fully qualified domain name (dr2chase.org), so that part of the  
certificate
is wrong.  The certificate creation in the makefile asked for this in a
slightly more sensible way, using the abbreviation "FQDN", though you  
have
to wonder how busy the authors of some of this security software are,  
that
they cannot take the time to type in "Fully qualified domain name", and
instead expect us to figure it out.

It can be whiny about permissions, in a non-specific way (as if the
software ran a one-way-hash on the permissions, didn't get a match,
and expected you to just guess till it worked.)

sudo chmod 600 /usr/local/etc/stunnel/mail.pem
sudo chmod 755 /usr/local/etc/stunnel/
sudo chown root /usr/local/etc/stunnel/stunnel.conf

You'll need to copy the sample stunnel.conf file into the real one:

sudo cp /usr/local/etc/stunnel/stunnel.conf-sample /usr/local/etc/ 
stunnel/stunnel.conf

You might want to look it over, though I don't recall changing much  
in mine.
You might want to turn on debug logging there; mine seemed to spew in  
the
invoking terminal, instead of any file that I could find, but that  
was good
enough for a start:

debug = 7
output = stunnel.log

Some part of stunnel created its chroot directory with incorrect (for  
MacOS,
at least) permissions:

% ls -ld /usr/local/var/lib/stunnel/
948  drwxrwx--T   2 root  wheel  68 Jan  5 16:55 /usr/local/var/lib/ 
stunnel/

That's the one that didn't work, and clearly someone thought  
carefully about
giving it the wrong permissions -- that "T" didn't get there  
accidentally.
This caused silent failure for me.

What worked, but might not be secure, is

drwxrwxrwx   2 root  wheel  68 Jan  6 00:16 /usr/local/var/lib/stunnel/

My guess is that it would be better if it were owned by nobody/nogroup,
but this is clearly something that trained experts should GET RIGHT,  
instead
of leaving it busted for novices to tinker with.

What mail reader are you using?  For example, Apple Mail's  
"connection doctor"
will treat an unofficial certificate as a connection failure; only  
when you
actually try to receive or send mail, will you get a chance to trust the
certificate.

Perhaps my sarcastic remarks will cause someone to actually fix  
something.
Who knows.

yours,

David Chase