Hi Steve,
As Larry mentioned, we have been using stunnel for several years here in
University Relations to secure telnet connections that for various
reasons can't use ssh.
In answer to your question, it works just fine on Windows XP (SP1 and
SP2). I do not see any reason it would cause problems in the UCB
environment. I do not use it on a machine that participates in Active
Directory, but we provide stunnel to many users who do, and I am not
aware of any problems with that. We don't use it for smtp, but I gave it
a quick test on a WinXP SP2 box to port 465 (smtps) on calmail and it
allowed me to send mail.
You didn't ask about configuration, so perhaps you are already familiar
with this, but if it is useful, here are the relevant lines from the
stunnel.conf file I used for this smtp test:
[stunnel_calmail_smtp]
accept = 127.0.0.1:25
connect = calmail.berkeley.edu:465
Line 1: The name of the connection. This is arbitrary.
Line 2 (accept): The host and port stunnel will listen on, which is the
host and port your application will connect to. Specifying the loopback
address here prevents remote machines from using the tunnel. This is not
very clear in the man pages, which indicate it is optional. (You'll also
want to block incoming connects to this port in your machine's firewall.)
Line 3 (connect): The remote host and port. Stunnel will set up a secure
SSL channel to this host and port and then forward the traffic received
on the "accept" port across this channel.
To send mail through this, I tell my email client to use 127.0.0.1 (or
localhost) as the SMTP server on port 25. In your case, you need to
reconfigure your application to look to 127.0.0.1 for SMTP services. If
you can tell your app to use a specific port, you can use any unused
port and change line 2 of stunnel.conf to reference that number. When
your application connects to port 25 (or an alternate port) on
localhost, the packets get forwarded across the SSL secured connection
to port 465 on calmail. The calmail folks could tell you if that's the
best port number.
Also, just a comment: I believe calmail is going to be requiring
authentication in addition to encryption for SMTP services. The way you
would be using it here, stunnel gives you only encryption of the
connection and not authentication. Your app will still need to provide a
valid calmail user name and password.
Probably more info than you needed, but hope something in there helps.
Josh Marcus
University Relations, Information Systems
Steven Longenbohn wrote:
> We just learned of a tool that seems to come from RedHat, called
> STUNNEL-3.22.EXE
> The description for this tool is:
>
> Stunnel is a socket wrapper which can provide SSL (Secure Sockets
> Layer) support to ordinary applications. For example, it can be used
> in conjunction with imapd to create an SSL secure IMAP server.
>
>
>
> Has anyone run this in the Berkeley campus environment?
> Are there any inherent problems running this on a Windows XP workstation?
>
> We have an application using CalMail for SMTP that will need to be
> re-written (but it won't happen before March 1, 2005).
> It is a production process that must continue after SSL is required by
> CalMail.
>
> What I don't know is whether or not these DLL's and EXE cause other
> problems in an environment like we have at Berkeley (e.g. active
> directory, SSL encryption of Calmail traffic, Minimum Standards for
> Network Security, Windows XP, etc).
>
> If anyone has seen this product, used it, or knows about how it would
> interact with our campus processes, please give me some feedback.
> We're trying to make sure we don't introduce problems into our environment.
>
>
> Thanks!
>
>
>
>
> ********************************************************************************************
> * Steve "DrSteve" Longenbohn IS&T: Administrative
> Systems Dept
> *
> * CalNet Deputy System Administrator
> * CalAgenda Admin Departmental Security Overseer
> * PC Doctor
> *
> * Office: 510-643-9777 Cell: 510-812-0256
> * 2111 Bancroft Way, Room 409D (Banway Bldg)
> ********************************************************************************************
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Mon Feb 28 12:49:26 2005
This archive was generated by hypermail 2.1.8 : Mon Feb 28 2005 - 12:49:35 PST