Configure StartTSL on Djigzo

1.Make a separate certificate and key for StartTSL by running this command as root in the /etc/postfix/ssl directory and then change the permissions to chmod 400


  openssl req -new -x509 -days 3650 -nodes -out ssl.pem -keyout ssl.key
  Generating a 1024 bit RSA private key
  ...++++++
  ........................................++++++
  writing new private key to 'ssl.key'
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:US
  State or Province Name (full name) [Some-State]:Maryland
  Locality Name (eg, city) []:Gaithersburg
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:WorldVistA
  Organizational Unit Name (eg, section) []:CMO
  Common Name (eg, YOUR name) []:Nancy Anthracite
  Email Address []:nancy@worldvista.org
  
  
  mail2:/etc/postfix/ssl# ls
  ssl.key  ssl.pem
  chmod 400 *

2.  Now add the following to /etc/postfix/main.cf  (See the full final main.cf in another document - Postfix-main.cf-AfterDovecotSetup.txt)

smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_cert_file = /etc/postfix/ssl/ssl.pem
smtpd_tls_key_file = /etc/postfix/ssl/ssl.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_loglevel = 1

3. Install stunnel on openforum.opensourcevista.net
aptitude install stunnel4 

also install all of these if they aren't
ii  libssl-dev                           0.9.8o-4squeeze1             SSL development libraries, header files and documentation
ii  libssl0.9.7                          0.9.7k-3.1etch5              SSL shared libraries
ii  libssl0.9.8                          0.9.8o-4squeeze1             SSL shared libraries
ii  openssl                              0.9.8o-4squeeze1             Secure Socket Layer (SSL) binary and related cryptographic tools
ii  openssl-blacklist                    0.5-2                        list of blacklisted OpenSSL RSA keys
ii  openssl-blacklist-extra              0.5-2                        list of non-default blacklisted OpenSSL RSA keys
ii  ssl-cert                             1.0.28                       simple debconf wrapper for OpenSSL
ii  ssldump                              0.9b3-4                      An SSLv3/TLS network protocol analyzer


4. On the Djigzo server, StartTLS will automatically make the connection to stunnel correctly on the VistA side, so you need to send the message out to a new port for tunneling and then to the usual port that would be 25 or whatever you have set it up to be on the VistA server. In this case, the VistA end has substituted port 9320 for port 25 as it is one of many instances of VistA on this server (see AlternatePortMailmanDjigzoMailDelivery.odt). the stunnel.conf.  The /etc/stunnel/stunnel.conf file is backed up and a new stunnel.conf file written using a random port

5. postfix is set up by editing the /etc/postfix/main.cf and /etc/postfix/transport files

Add the following to /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport

and to the /etc/postfix/transport

REMINDERS.OPENFORUM.OPENSOURCEVISTA.NET     :[66.206.177.84]:9302
#WVEHR309A.OPENFORUM.OPENSOURCEVISTA.NET     :[66.206.177.84]:9320
GPL.MDC-CREW.NET                        :[68.35.27.66]:3601
VADEMO409.OPENFORUM.OPENSOURCEVISTA.NET     :[66.206.177.84]:9308
WVEHR309.OPENFORUM.OPENSOURCEVISTA.NET     :[66.206.177.84]:9307
WVEHR309A.OPENFORUM.OPENSOURCEVISTA.NET  [66.206.177.84]:19320

Then run these commands 

postmap /etc/postfix/transport
/etc/init.d/postfix restart


6. Then on the VistA side, in this instance, altering the instance wvehr3-09a
edit the /etc/stunnel/stunnel.conf file after backing it up. Note the old equivalent of port 25 which is set up and still active in xinetd.d is for port 9320 to replace port 25 (See AlternatePortMailmanDjigzoMailDelivery.odt) and this port 19320 is the port being used by stunnel.

gtm:/home/nancy# cat /etc/stunnel/stunnel.conf

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
;socket = l:TCP_NODELAY=1
;socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[smtp]
accept = 25
connect = 127.0.0.1:25
client = yes
protocol = smtp

[smtps_incoming]
;wvehr3-09a
accept = 19320
connect = 127.0.0.1:9299
client = no
protocol = smtp

[smtps_incoming]
;wvehr3-09
accept = 9307
connect = 127.0.0.1:9298
client = no
protocol = smtp

[smtps_incoming]
;reminders
accept = 9302
connect = 127.0.0.1:9297
client = no
protocol = smtp

[smtps_incoming]
;vademo4-09
accept = 9308
connect = 127.0.0.1:9296
client = no    
protocol = smtp

; vim:ft=dosini


; vim:ft=dosini

7. Now make an stunnel.pem for the VistA side
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

gtm:/etc/stunnel# openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
Generating a 1024 bit RSA private key
...........++++++
......++++++
writing new private key to 'stunnel.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Gaithersburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WorldVistA
Organizational Unit Name (eg, section) []:CMO
Common Name (eg, YOUR name) []:wvehr309a.openforum.opensourcevista.net
Email Address []:nancy@worldvista.org

cp /etc/stunnel/stunnel.pem /etc/ssl/certs/stunnel.pem
chmod 600 /etc/ssl/certs/stunnel.pem

7. Edit the /etc/stunnel/stunnel.conf file

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration
; from VistA Server to Djigzo
[smtp]
accept = 25
connect = 66.206.177.87:25
client = yes
protocol = smtp

;From Djigzo to VistA Server
[smtps_incoming]
accept = 19320
connect = 127.0.0.1:9299
client = no
protocol = smtp

[smtps_incoming]
;wvehr3-09 
accept 9307
connect = 127.0.0.1:9298
client = no
protocol = smtp

[smtps_incoming]
;reminders    
accept = 9302
connect = 127.0.0.1:9297
client = no    
protocol = smtp

[smtps_incoming]
;vademo4-09      
accept = 9308
connect = 127.0.0.1:9296
client = no
protocol = smtp


; vim:ft=dosini


8. Now you have to edit /etc/default/stunnel to allow stunnel automatic startup and run /etc/init.d/stunnel4 start to start it.  The port 119320 must be opened as well (or whatever random port you selected)


# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003

# Change to one to enable stunnel automatic startup
ENABLED=0      <========================= Change 0 to 1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
nan
# Change to one to enable ppp restart scripts
PPP_RESTART=0  <========================= Change 0 to 1 


8. Now run /etc/init.d/stunnel4 start

#/etc/init.d/stunnel4 start
Starting SSL tunnels: [Started: /etc/stunnel/stunnel.conf] stunnel.

This file will be generated

/var/lib/stunnel4/stunnel4.pid

10.  To check if the tunnel is working, telnet to it from inside the originating server

telnet 127.0.0.1 19320  <===from inside the Djigzo server

