The SSL (Security Socket Layer) protocol, designed and developed by Netscape, is used primarily to provide authentication to users and servers, to encrypt and hide transmitted data, to ensure that data is not altered in transit (i.e., data integrity) and is now a global standard in this field.
Stunnel is a network data can encrypt the TCP connection tool, can work on UNIX, Linux and Windows platform, using Client/server mode, the ciient end of the network data using SSL encryption, Secure transfer to the specified server end for decryption restore, and then sent to the server to be accessed.
Stunnei is a good solution to the problem that SSL cannot transmit data encryption to existing legacy applications. Before Stunnel occurs, to secure data transfer, you can only increase security by adding SSL code to your application. Stunnel is based on OpenSSL, so it requires installation of OpenSSL and proper configuration. Stunnel can provide protection without SSL-enabled server-side software without any modifications to the daemon's code, Stunnel works as shown in the figure. For example, you can use Stunnel to protect POP3, SMTP, and IMAP servers. Stunnei the latest version of STUNEL-4.33.TAR.GZ, its official website for www.stunnel.org.
1. Install Compile Stunnel
Stunnei installation is very simple, the author here is not cumbersome, use the following command to complete the installation of Stunnei:
#wget http://www.stunnel.org/download/stunnel/src/stunnel-4.33.tar.gz
#tar zxvf stunel-4.33.tar.gz
#./ Configure;make;make Install
Figure Stunnel Working principle
The following uses Stunnel to encapsulate some popular mail servers.
2. Guarantee IMAP Security
IMAP (Internet messageaccess Protocol) is a way for users to access mail from different computers. It works by storing information on a central computer and allowing a user to access a copy of the information. Users can synchronize local workstations and servers, and you can also create a folder for messages and have full access rights. There are two ways to encapsulate IMAP via Stunnel.
1. Running IMAP services directly via Stunnel
This method is recommended if you have an IMAP client that is connected using the SSL protocol. First, close the IMAPD daemon, and then use the command line in the restart script (/etc/rc.d/rc.1ocal) instead of IMAPD, using the following command:
/usr/sbin/stunel-p/usr/local/ssl/certs/stunel.pem-d 993-r localhost:143
This command runs on the 143 port using the file specified on the Imaps port (993) to run the agent of the STUNNEL,IMAPD Port listener. If a non-SSL IMAP client is allowed to connect to a standard IMAP port (143), the SSL IMAP client can be configured to connect to port I MAPS (993) instead:
/usr/sbin/stunel-p/usr/local/ssl/certs/stunel.pem-d 993-l/USR/SBIN/IMAPD
2. Use XINETD to run secure IMAP
As you can see from the concept of daemons, you must run a daemon that listens on a port connection for each service that the system is going through, which usually means a waste of resources.
To solve this problem, Linux introduces the concept of "Network Daemon Service". XINETD can listen to multiple specified ports at the same time, when accepting user requests, can start different network service processes to process these user requests depending on the port requested by the user. You can think of xinetd as a Management server that manages the startup service, handing a client request to the program, and then starting the appropriate daemon. If you are running an IMAP service using XINETD, modify the configuration file (/ETC/XINETD.D/IMAPD) as follows:
Service IMAP
{
disable=no
socket_type=stream
wait=no
user=root
port=143
server=/usr /sbin/stunel
server_args=stunel imapd-l/usr/sbin/imapd-imapd
log_on_succes+=userid
log_on_failure+ =userid
#env =virtdomain=virtual.hostname
}
The SIGHUP signal is then passed to the Super Service program, and the manned xinetd configuration is renewed:
KILLALL-USR1 xinetd
Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/Mail/
3. Guarantee POP3 Safety
To use SSL to connect to the POP3 mail Service, the file script is reconfigured as follows:
Service pop3s
{
disable=no
socket_type=stream
wait=no
user=root
server=/usr/sbin/ Stunel
server_args=stunel pop3s-l/usr/sbin/ipop3d-ipop3d
log_on_success+=userid
log_on_failure+= USERID
}
If the client software cannot use the SSL based POP3 Mail user agent Mua, you can use the POP3 redirection method.
4. Protect SMTP Security
If a running SMTP server needs to allow an employee on a business trip to send multiple messages to the internal network, you can set the following:
/usr/local/sbin/stunel-d 25-p/var/lib/ssl/certs/server.pem-r LOCALHOST:SMTP
This will only secure SMTP transport between the end user and the mail server. mail servers that are sent to a message outside the domain will not be within secure range.
The Stunnel Security tool provides security for mail servers in two or more networks. Even if the user is a system administrator, not a developer, Stunnel is also a powerful tool because SSL can be added to server-side software that does not enable SSL. For example, the above mentioned uses Stunnel to protect POP3, SMTP, and IMAP servers. The only undesirable thing is that you need to use the secure version of these servers, and the client must be SSL-aware. Stunnel also has some limitations, such as on the server side, currently only transparently proxy Linux clients. On the client side, full certificate validation is not easy to perform.