Using VA with SSL

SSL (Secure Sockets Layer) is a set of protocols that add security to communications over a TCP/IP network. Many providers of internet services support the use of SSL to protect mail and/or news traffic, and some require it.

VA does not have native support for SSL, but can be used with an external SSL proxy to communicate securely with servers that support SSL. There are a number of SSL proxies available for Windows that can be used with VA. This FAQ discusses the use of stunnel.

Getting stunnel

Go to the "Download" page at the stunnel website and select the most recent version. At the time of writing this is "stunnel-4.24-installer.exe". Download this file to your hard drive (it doesn't matter where - I have a directory named "downloads" for keeping downloaded files).

When the download is complete, run the downloaded file to install the stunnel program on your system.

If you normally work in a limited user account you may wish run the installer as an administrator, so that you can install the stunnel files into a subdirectory of "C:\Program Files" 1).

Note that although the description on the about page of the stunnel.org site says that stunnel itself does not contain any cryptograpic code and that OpenSSL must be obtained separately, the installer does install the necessary OpenSSL libraries (libeay32.dll and libssl32.dll) so these do not have to be downloaded or installed separately.

Warning There is a link at the bottom of the stunnel download page to some pre-built OpenSSL libraries, these libraries are very out of date and should not be used. Use the ones included in the "stunnel-4.24-installer.exe" installer.

Configuring stunnel

When stunnel is run it reads a configuration file. The default configuration file is called stunnel.conf and lives in the same directory as the stunnel.exe program (though this can be overridden on the commandline). A sample stunnel.conf file is supplied with the stunnel programs, but this is set up to secure a typical server installation, and will need to be changed for use by VA as a client application.

Any line in stunnel.conf that starts with a semicolon is a comment. Some comment lines are just descriptive text while others are configuration choices that have been disabled. You can enable choices that have been disabled by removing the semicolon and you can disable choices that are enabled by default by placing a comment at the start of the line (this is preferable to removing the line, as it makes it easy to re-enable the option by removing the semicolon).

For VA you will want to make some changes (remember that if you installed stunnel to the "C:\Program Files" directory as an administrator you will also need to be an administrator to edit this file).

Here is a sample stunnel.conf that works with VA for collecting mail from an SSL-protected POP3 mailbox and sending mail to an SSL-protected SMTP mail server. Look for comments containing "##" which I have added to indicate changes from the default file that are needed for VA

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Altered for use with VA mail client by Daniel James
 
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
; ## no certificate is needed for basic client use
;cert = stunnel.pem
;key = stunnel.pem
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
 
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
 
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
 
; Some debugging stuff useful for troubleshooting
; ## I've turned logging on, this is optional.
debug = 7
output = stunnel.log
 
; Use it for client mode
' ## This is important
client = yes
 
; Service-level configuration
 
[pop3s]
; ## VA talks POP3 to stunnel on port 110, stunnel talks POP3S to my ISP on port 995
accept  = 110
connect = pop3.myisp.co.uk:995
 
;[imaps]
; ## VA talks IMAP4 to stunnel on port 143, stunnel talks IMAP4S to my ISP on port 993
; ## I don't use IMAP so this is commented out
;accept  = 143
;connect = imap.myisp.co.uk:993
 
[ssmtp]
; ## VA talks SMTP to stunnel on port 25, stunnel talks SSMTP to my ISP on port 465
; ## NOTE other ISPs may use port 587
accept  = 25
connect = smtp.myisp.co.uk:465
 
;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0
 
; vim:ft=dosini
Running stunnel

When you have made the changes to stunnel.conf and saved them, you can run the stunnel.exe program.

stunnel stunnel.conf

(You don't need to specify the configuration file name if you are using the default; I have included it here to show the syntax.)

You will see a new icon for stunnel in the Windows system tray. The context menu for this icon allows you to close the running copy of stunnel and also to view a log of stunnel's operation.

If you want stunnel to start automatically every time you start Windows, you can put a shortcut to stunnel.exe in the Windows "startup" folder.

Alternatively, you can run stunnel as a Windows service. This will ensure that stunnel is started automatically when Windows starts and that it will run (with the same settings) for all users. Note that when stunnel runs as a service it does not display a taskbar icon.

To install stunnel as a service run it with the -install commandline option. Note that you must be a Windows Administrator to do this.

stunnel -install stunnel.conf

This will install the service, but not start it. To start the service you can run stunnel with the -start option, or use the Windows service manager control panel applet.

stunnel -start
Configuring VA

stunnel works as a proxy. That means that stunnel makes itself look like a mail server and VA uses that server for mail collection and delivery. stunnel secures all mail communication using SSL, and forwards it to the real mail server. We have already configured stunnel to use the real server addresses, now we have to configure VA to talk to stunnel instead of the real server.

In VA, go to the "File" menu, select "Comms Setup", select your ISP from the list, and click "Open". Change both the incoming and outgoing server names to "localhost" (without the quotes). Leave the port numbers unchanged (e.g. 110 for incoming POP3, 25 for outgoing SMTP) because our stunnel.conf expects us to use these ports.

Using stunnel with VA

Just use VA as normal. stunnel will operate transparently.

Remember that stunnel must be running before you run VA, or you will get an error saying that the server refused a connection (this is because VA tried to access the mail servers at localhost (your computer) but no server was found).

Aaisp connection started Tue, 20-May-2008 15:01:47
Connecting to POP3 server, localhost, account daniel
ERR Connect failed.WS_ERR(10061), Connection refused by remote end (mailclnt #356)
Connect completed at 15:01:48
Closing stunnel

You can close the running stunnel program at any time by right-clicking on the taskbar icon and selecting "Exit".

If stunnel is running as a service you can stop the service by running stunnel with the -stop option (or you can use the service manager).

You can remove the service with the -uninstall option (or you can use the service manager).

1) or "C:\Program Files (x86)", on Win64
 
vaosfaq/va_ssl.txt · Last modified: 21.05.2008 14:50 by daniel
 
Recent changes RSS feed Driven by DokuWiki