[stunnel-users] re: Problem with certificates using smtp/pop
dr2chase at mac.com
Wed Jan 10 14:24:15 CET 2007
I tried sending directly to you, I must have looked like a spammer.
I am ever so slightly pleased to see that I have some company in
my frustration with this software. I'll try to help, since the
experts seem to be too busy. I've only used it twice, and it was
painful both times.
Have you gotten it to work at all?
That is, what do you see? Do you get a running stunnel process?
Do you have (with permissions)
ls -l /usr/local/etc/stunnel/mail.pem
-rw------- 1 root staff 2233 Jan 5 17:25 /usr/local/etc/stunnel/
I created it by running this command in that directory:
sudo openssl req -new -out mail.pem -keyout mail.pem -nodes -x509 -
I created a stupid certificate, because at some point it looked like
it was asking me for my name (David Chase) when what they wanted was my
fully qualified domain name (dr2chase.org), so that part of the
is wrong. The certificate creation in the makefile asked for this in a
slightly more sensible way, using the abbreviation "FQDN", though you
to wonder how busy the authors of some of this security software are,
they cannot take the time to type in "Fully qualified domain name", and
instead expect us to figure it out.
It can be whiny about permissions, in a non-specific way (as if the
software ran a one-way-hash on the permissions, didn't get a match,
and expected you to just guess till it worked.)
sudo chmod 600 /usr/local/etc/stunnel/mail.pem
sudo chmod 755 /usr/local/etc/stunnel/
sudo chown root /usr/local/etc/stunnel/stunnel.conf
You'll need to copy the sample stunnel.conf file into the real one:
sudo cp /usr/local/etc/stunnel/stunnel.conf-sample /usr/local/etc/
You might want to look it over, though I don't recall changing much
You might want to turn on debug logging there; mine seemed to spew in
invoking terminal, instead of any file that I could find, but that
enough for a start:
debug = 7
output = stunnel.log
Some part of stunnel created its chroot directory with incorrect (for
at least) permissions:
% ls -ld /usr/local/var/lib/stunnel/
948 drwxrwx--T 2 root wheel 68 Jan 5 16:55 /usr/local/var/lib/
That's the one that didn't work, and clearly someone thought
giving it the wrong permissions -- that "T" didn't get there
This caused silent failure for me.
What worked, but might not be secure, is
drwxrwxrwx 2 root wheel 68 Jan 6 00:16 /usr/local/var/lib/stunnel/
My guess is that it would be better if it were owned by nobody/nogroup,
but this is clearly something that trained experts should GET RIGHT,
of leaving it busted for novices to tinker with.
What mail reader are you using? For example, Apple Mail's
will treat an unofficial certificate as a connection failure; only
actually try to receive or send mail, will you get a chance to trust the
Perhaps my sarcastic remarks will cause someone to actually fix
More information about the stunnel-users