ssl/tls, authentication on outgoing smtp session
Issue #32
resolved
Hi,
First of all: this is really a great work, and a reasonable solution for the email archiving. Maximum respect for you.
However, I was a bit lost in the installation documentation, if you don't mind, I should create a more comprehensive version. It was a pain in the back, until I realised some components and the connections between, moreover I have to use CentOS 5 for the platform, which drove me crazy, but at least I have documentation for this platform.;)
My only issue is that we should send the mails through at least tls (but ssl would be better) channel, mostly with user authentication on outgoing mails(see SMTP_RELAY configuration). The other side of the ssl issue that the incoming messages, how can I secure the communication between my primary mail server and mailpiler?
Is it possible to implement this, or should I use some workaround?
Comments (8)
-
repo owner
-
repo owner
- changed status to resolved
If you can accept this workaround for a secure smtp level connection, then I resolve this issue.
-
reporter
I can accept for now, but I hope that there will be growing demand for this feature;).
About the incoming connection, when my primary server wants to send me mail through the Internet (because I'd like to use it in this scenario: mailpiler will be a remote backup), I can secure the connection with stunnel.
Just for the record, my workaround with stunnel:
1) Install stunnel and openssl. 2) Create a certificate, if you haven't had already: openssl req -new -x509 -days 3650 -nodes -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
3) Create configuration file for the tunnel, which will tunnel the localhost port 465 (SMTPs) to localhost port 25 (piler):
nano /etc/stunnel/stunnel-server.conf [smtpss] cert = /etc/stunnel/stunnel.pem accept = 465 connect = 25
4) start the tunnel: stunnel /etc/stunnel/stunnel-server.conf
-
repo owner
- changed status to open
now I get the point, so I reopen this issue, and plan to add native SSL support for piler
-
reporter
Thank you, it is really nice. I guess in most cases your system will be used remotely, so between the primary server and the mailpiler there is the Internet, which is definitely not secure. I saw that you secure the storage of the mails with key, but I hope you can see it now, you should figure out how can you secure the incoming and the outgoing traffic also.
-
repo owner
- changed status to resolved
OK, an initial starttls implementation is available. Please download the master branch, and recompile piler by adding the --enable-starttls configure option.
Then create a PEM file (eg. /usr/local/etc/piler.pem) containing both the private key and the certificate.
Finally edit piler.conf, and add 2 variables:
tls_enable=1 pemfile=/usr/local/etc/piler.pem
Finally verify (by the EHLO command) that piler advertises the STARTTLS SMTP feature.
-
repo owner
OK, an initial starttls implementation is available. Please download the master branch, and recompile piler by adding the --enable-starttls configure option.
Then create a PEM file (eg. /usr/local/etc/piler.pem) containing both the private key and the certificate.
Finally edit piler.conf, and add 2 variables:
tls_enable=1 pemfile=/usr/local/etc/piler.pem
Finally verify (by the EHLO command) that piler advertises the STARTTLS SMTP feature.
-
repo owner
The tls_enable and the pemfile variables are in separate lines...
- Log in to comment
Hello Peter,
note that the piler daemon doesn't support any smtp level encryption, still it's possible to add TLS/SSL support to the mix.
To do so, you should install an MTA (let's assume postfix for now) with TLS or SSL support on the piler host, and configure it to listen on 1.2.3.4:25/tcp.
Since port 25 is occupied, you should move piler to the localhost to a high port, eg. 127.0.0.1:10025/tcp. (set listen_addr=127.0.0.1 and listen_port=10025, then stop and start piler).
In postfix main.cf set the following:
content_filter = smtp:[127.0.0.1]:10025
which means, send everything to 127.0.0.1:10025 where piler waits and it archives every single mail it receives.
If there's a growing demand for TLS/SSL support, perhaps I will add native support for piler, and then for later versions, you won't need postfix on the receiving side.
If you feel the install instructions need more clarification, then please give some clues where to include what.