The hMailServer does a great job of SMTP, POP3 and IMAP. But what if you want to use the secure versions of those things? Well, you can wait for the next version, or do a little work yourself.
Well, I thought about using Stunnel for that before I read the guide here. So I went about doing so, and got it to work. Then, when I later found the guide here, I noticed it was short on a few topics. Specifically, it is missing how to create your own certificate to make Stunnel more secure.
I went through more than a few guides on OpenSSL, and most were written for LINUX users. In most of these, they liked calling everything a pem file. They also all like to talk about c_rehash, which you won't need for what is being done here.
So I decided that would make my own howto which would add to this one, go over creating a basic, self signed certificate with OpenSSL, and installing it in Stunnel, all inside Windows.
I have done this on Pro 2000 and XP Home, so it should work most places. Mileage may vary.
One guide I found, "Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5
" by Dylan Beattie, January 2003, uses more of a Microsoft file format, extensions, and so on.
This guide is based off that one, but I diverge where it starts talking about IIS. This is for Stunnel which is being applied to hMailServer, not IIS!
Knowing this is legal where you are. Not all places have the same laws for using encryption, and that is all I have to say on that because I am not a legal advisor.
Pre-compiled OpenSSL tools
for Windows from Shining Light Productions. You can also compile your own version of the OpenSSL tools using cygwin, or mingw, but this is the fastest way.
The OpenSSL tools uses the Visual C++ Runtime DLL, msvcr90.dll. If this is missing from your system, you will need to install the Microsoft Visual C++ 2008 Redistributable Package (x86)
For configuring OpenSSL, use this copy of openssl.conf
or play with your own to figure it all out. This way is a lot quicker.
The most recent Stunnel Binaries for Windows
What to do:
If you plan on making this install of OpenSSL a long term thing, and making your own Certificate Authority to sign multiple certificates, set the variables in your path and system variables. Otherwise, you can just run the set commands from DOS, and be done with it.
Install the OpenSSL tools to:
Make sure you have msvcr90.dll on your system, or install the C++ runtime to get it.
Now I am going to go through this part quick. If you want more explanation, read Dylan Beattie's guide.
Open up the command prompt. Start > Run > cmd
copy con database.txt
That is the control and z keys. No shift needed.
copy con serial.txt
NOTE: the 1024 below is to make a 1024 bit KEY. You could also do 2048, and other fun things.
openssl genrsa -des3 -out keys/ca.key 1024
openssl genrsa -nodes -out keys/ca.key 1024
des3 or nodes. . . If making a CA to do other, internally signed certificates, use a des3 passphrase, and make a second cert signed by the first for Stunnel. However, if you are only going to make one cirt, or you may make another later but don't have any long term plans, DON'T use a pass phrase so nodes.
The pass phrase is to secure the cert from unauthorized use, and to allow it to be sent via email. This is not needed if it will only live on one machine.
Stunnel will never start as a service with a machine on boot if you use a pass phrase! So one of the cirts you make will have to be without a pass phrase, or will have to have the pass phrase stripped off.
Next, do a self signed CIRtificate for three years:
openssl req -config openssl.conf -new -x509 -days 1095 -key keys/ca.key -out certs/ca.cer
Optionally, make a transportable DER file to import the key's recognition into systems without compromising the key:
openssl x509 -in certs/ca.cer -outform DER -out certs/ca.der
The point of a DER file is that it can be linked through the web, and not compromise a certificate/key pair. It allows you to install trust through a browser, which if you are making a private CA to make keys for a number of machines and/or services, will cut down on headaches.
Lets say you have an internal web server, database server, and mail at three offices on local servers using a VPN to keep it all straight. You can trust some big company, and pay them lots of money to let you trust them, and get real keys, OR you can make your own CA, trust it, and use a DER to cause your users to trust it without popping up a warning every time.
Moving on. .. .
You now have a working key and certificate pair, and can skip to installing it into Stunnel. However, if you want to use this as a CA, and make more certificates off it, you then need to do the following:
openssl genrsa -des3 -out keys/client.key 1024
openssl req -new -nodes -key keys/client.key -out requests/client.req
openssl ca -days 730 -keyfile keys/ca.key -cert certs/ca.cer -in requests/client.req -out certs/client.cer
That makes an unsigned, un-pass phrased, key and certificate pair that last for two years.
Installing into Stunnel:
Install Stunnel into c:\Program Files\stunnel, or wherever you want. Let it make the assorted shortcuts.
Under Start > Programs > Stunnel it should make the following:
You can install and test the service at this point. You will be using the default certificate, and not very secure since that is well documented and therefore decryptable.
When ready to install your certificate/key pair, stop the service, go to the Stunnel folder, and rename stunnel.pem to stunnel.mep, or some other file you will remember.
Make a new stunnel.pem, or copy the old and edit it. Whatever you like.
In the old stunnel.pem you will notice it has something like this:
-----BEGIN RSA PRIVATE KEY-----
[BLA BLA BLA]
-----END RSA PRIVATE KEY-----
[BLA BLA BLA]
You want to replace the top part with what is in c:\ssl\keys\client.key, and the bottom with what is in c:\ssl\certs\client.cer
To attach the layer of trust to the CA key inside Stunnel, put the ca.der into the Stunnel folder, and add this line to the stunnel.conf:
CAfile = ca.der
That adds the trust, but avoids the whole c_rehash requirements for making CApath work.
If you just made one key, and not two, join together c:\ssl\keys\ca.key, and c:\ssl\certs\ca.cer in the new stunnel.pem, and don't bother with the CAfile because the signer is inside the same certificate.
If your key has something like this at the top:
DEK-Info: DES-EDE3-CBC,[BLA BLA BLA]
It is pass phrased, and Stunnel won't like it for the purposes of starting as a service. To strip a pass phrase key down to a non-encrypted key:
openssl rsa -in keys/client.key -out keys/open.key
That just removes the triple des layer, and gives you the key. Like I said, that extra layer of encryption is to protect the key in email.
If your key could be exposed other ways, that is due to a poorly secured machine. That starts with locked doors, and if needed, breaking the fingers of children who play with the server they are not supposed to touch! It has nothing to do with the triple des on this key.
And that, in a nutshell, is how to make a CA and use it to improve the security levels of Stunnel.
The rest is the same as above.