Setting Up Stunnel On Linux

Intro

This article was written while getting SMTP authentication working with AT&T Business Class DSL services.   The SMTP service requires authentication via a secure connection on port 465.   Other articles will get into further details, this article’s focus is on the stunnel part of the equation, which we use to wrap the standard sendmail/SMTP configuration.

In This Article

  • An example stunnel config file for talking to AT&T SMTP servers on port 465 (SMTPS)
  • Testing the connection to AT&T SMTPS is working via telnet
  • Getting stunnel running on system boot.

Our Environment

  • CentOS release 5.2
  • stunnel 4.15-2

We assume you have stunnel and telnet installed.  If not, research the yum install commands for CentOS.  You will also need superuser access to update the running services on your box.

Setting up stunnel

Stunnel will allow you to listen for data connections on a local port and redirect that traffic through an SSH wrapper to another system.  In our case we are using stunnel to listen on port 2525 on our local server, wrap the communication in ssh and send it along to our local AT&T SMTP Server at smtp.att.yahoo.com on port 465 (aka SMTPS).

Install

To do this you will need stunnel installed.   If yum is configured properly and the remote yum servers are online you can try this:

# yum install stunnel

Configure

You will then need to create or edit the stunnel configuration file and setup the AT&T SMTPS redirect.  Your config file should look like this (your remote SMTPS server may have a different URL, check with your ISP):

  1. client=yes
  2. [rev-smtps]
  3. accept=127.0.0.1:2525
  4. connect=smtp.att.yahoo.com:smtps

Test

Run stunnel in a detached daemon mode:

# stunnel &

Then telnet in to localhost port 2525, which should SSH wrap the connection to the AT&T SMTP Server

# telnet 127.0.0.1 2525

You should see something like this:

  1. [root@dev xinetd.d]# telnet localhost 2525
  2. Trying 127.0.0.1…
  3. Connected to localhost.localdomain (127.0.0.1).
  4. Escape character is ‘^]’.
  5. 220 smtp104.sbc.mail.re3.yahoo.com ESMTP
  6. EHLO
  7. 250-smtp104.sbc.mail.re3.yahoo.com
  8. 250-AUTH LOGIN PLAIN XYMCOOKIE
  9. 250-PIPELINING
  10. 250 8BITMIME
  11. quit
  12.  
  13. Connection closed by foreign host.

Stop the test process by killing the detached process.  Find the process ID with ps and kill it.

# ps -ef | grep stunnel

You should see something like this:

  1. root      6181     1  0 11:37 ?        00:00:00 stunnel
  2. root     10698  3626  0 14:11 pts/0    00:00:00 grep stunnel

Kill the process.

# kill <pid>

Starting up stunnel on boot.

stunnel can be started by using the simple # stunnel & command via a shell script that runs at startup.  This method allows for session caching and generally improves performance over an xinetd controlled session.

Configure

Create /etc/init.d/stunnel:

  1. #!/bin/bash#
  2. #       /etc/rc.d/init.d/stunnel
  3. #
  4. # Starts the stunnel daemon
  5. #
  6. # Source function library.
  7. . /etc/init.d/functions
  8. test -x /usr/sbin/stunnel || exit 0
  9. RETVAL=0
  10. #
  11. #       See how we were called.
  12. #
  13. prog="stunnel"
  14. start() {
  15.     # Check if stunnel is already running
  16.     if [ ! -f /var/lock/subsys/stunnel ]; then
  17.     echo -n $"Starting $prog: "
  18.     daemon /usr/sbin/stunnel
  19.     RETVAL=$?
  20.     [ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/stunnel
  21.     echo
  22.     fi
  23.     return $RETVAL
  24. }
  25. stop() {
  26.     echo -n $"Stopping $prog: "
  27.     killproc /usr/sbin/stunnel
  28.     RETVAL=$?
  29.     [ $RETVAL -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/stunnel
  30.     echo
  31.     return $RETVAL
  32. }
  33. restart() {
  34.     stop
  35.     start
  36. }
  37. reload() {
  38.     restart
  39. }
  40. status_at() {
  41.     status /usr/sbin/atd
  42. }
  43. case "$1" in
  44. start)
  45.     start
  46.     ;;
  47. stop)
  48.     stop
  49.     ;;
  50. reload|restart)
  51.     restart
  52.     ;;
  53. condrestart)
  54.     if [ -f /var/lock/subsys/atd ]; then
  55.     restart
  56.     fi
  57.     ;;status)
  58.     status_at
  59.     ;;
  60. *)
  61.     echo $"Usage: $0 {start|stop|restart|condrestart|status}"
  62.     exit 1
  63. esac
  64. exit $?
  65. exit $RETVAL

Set the stunnel script to run at startup level 3:

# ln -s /etc/init.d/stunnel /etc/rc3.d/S58stunnel

Test

Run the same telnet test to port 2525 on localhost as noted above.  Don’t kill the process when you are done.

Running via xinetd

xinetd runs various port listening services through a single program (xinet) that runs as a daemon.  Since our box (and most RHEL variants) runs xinetd by default, we simply need to create our configuration file for stunnel and put it in the xinet.d directory & restart the xinetd process.  This is NOT the recommended method for running stunnel.

Install

If xinetd is not installed and running on your system (it should be) then grab it with yum

# yum install xinetd

Configure

Create a new stunnel configuration file in the /etc/xinetd.d directory.

  1. # description: stunnel listner to map local ports to outside ports
  2. service stunnel
  3. {
  4.     disable         = no
  5.     flags           = REUSE
  6.     socket_type     = stream
  7.     wait            = no
  8.     user            = root
  9.     port            = 2525
  10.     server          = /usr/sbin/stunnel
  11. }

You can learn more about xinetd configuration files here:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tcpwrappers-xinetd-config.html

You will also need to change your stunnel config file as the accept port is now handled by xinetd.  You can learn more via the stunnel manual by using # man stunnel at your linux prompt.

The new stunnel.conf file:

  1. client=yes
  2. connect=smtp.att.yahoo.com:smtps

Test

  1. #service xinetd restart
  2. #telnet 127.0.0.1 2525

You should see the same results as the stunnel test above.

Related Posts & Comments:

  1. Upgrading Logwatch on CentOS 5
  2. Logon To Your Linux Box Using SSH Keys
  3. Scheduling Linux Apps
  4. Creating and Installing SSL Certs via SSH
3 Comments   |   Posted in applications,blog,Networking Utilities by on April 05, 2010

2 Comments for this entry

  • Mark Hopkins August 30th, 2010 on 10:31 PM

    Your startup script, /etc/init.d/stunnel does not work. What is with the “&&”? Also why is that a “#” at the end of line 1?

    Also executing via xinetd did not work on RHEL 4.7.

    Thanks anyway.

    Mark

    Reply
    • Ronnie Shavlik March 18th, 2011 on 11:20 AM

      Thanks for sharing this write-up, saved me time in setting it up. As to Mark’s comment, yeah…to get the service script to work:

      Remove the # from the end of the first line. Then replace where it has…

      &&

      with…

      &&

      And then down lower for the status and conditional restart options, change it from pointing to atd to stunnel.

      Additionally, if you get an error about incorrect\improper permissions on your certificate file, do a ‘chmod 600 ‘.

      That should do it.

      Reply

1 Trackback or Pingback for this entry

Leave a comment










Search Articles

Article Categories

Tags

.net amazon Android apache asus at&t Bash c-sharp Charleston SC command line Database dell directory documentation droid Emacs find Gadgets git google isp java Javascript js Linux lisp login microsoft mobile apps mysql networking Perl php plugins postgresql python redmine SQL sql syntax SSH ssl ubuntu windows Word Wordpress

Recent Articles