Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Examples>

Wrapping Qmail's pop3d in Stunnel


Please feel free to use this on stunnel.org if you think it may help
someone. This may be a bit premature as I only set it up tonight, but
it works great and the log files show no errors. You can edit it any
way you like, just don't post my email address (duh).
Here it is:


I now have stunnel 4 wrapping qmail-pop3d as a tcpserver service. My
goal was to closely follow the stunnel 3.x setup described in "The
qmail Handbook" to keep this consistent with the rest of my qmail
configuration.

My environment:
* Redhat Linux 9
* stunnel 4.04 compiled "--without-tcp-wrappers" (tcp wrappers would be
redundant with tcpserver's access controls, but you could of course
keep it if you need it for non-tcpserver stuff)
* OpenSSL .97b default compile, meaning threads were automatically
enabled.
* qmail 1.03
* daemontools 0.76
* ucspi-tcp 0.88

Here are the files involved along with comments. This will make the
most sense if you read and followed "The qmail Handbook" (which I
highly recommend) or are already familiar with qmail, tcpserver and
daemontools.

--- Start: shell output ---
[mailserver]# cat /var/qmail/supervise/pop3sd/run
#!/bin/sh

MAXPOP3D=`head -1 /var/qmail/control/concurrencypop3`
if [ -z $MAXPOP3D]; then
    echo MAXPOP3D is unset in
    echo $0
    exit 1
fi
exec /usr/local/bin/softlimit -m 3000000 \
/usr/local/bin/tcpserver -v -R -H -l 0 -x /etc/tcp.pop3.cdb -c
    "$MAXPOP3D" \
    0 995 /usr/local/sbin/stunnel /usr/local/etc/stunnel/pop3s.conf 2>&1
--- End: shell output ---

The "MAXPOP3D" stuff is from Dave Sill and just reads in a concurrency
limit from a text file. The important part is the "exec" line. If you
compare this with Dave Sill's version for stunnel 3, you can see that
I've simply taken out the old stunnel command line arguments and
replaced them with the new stunnel configuration file argument. The
stderr redirection at the end (i.e. "2>&1") is left in place.


--- Start: shell output ---
[mailserver]# cat /usr/local/etc/stunnel/pop3s.conf
cert = /usr/local/etc/stunnel/stunnel.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup mail.example.com /bin/checkpassword
/var/qmail/bin/qmail-pop3d Maildir
foreground = yes
--- End: shell output ---

Notice that I'm following Dave Sill's advice to keep stunnel in the
foreground when being called from tcpserver. I'm also paying attention
the "Inetd Mode" instructions in the stunnel 4 man page, which of
course apply to tcpserver as well (tcpserver is mentioned specifically
in the man page). Those instructions state that we should not use any
"accept" option and should not be using a [service_name] section.
Instead, tcpserver handles the connection and stunnel passes it along
using the exec and execargs options. I tried setting "output =
/dev/stdout" as I found in a post on this subject but it resulted in an
error. The "2>&1" redirection in .../supervise/pop3sd/run works fine
with the default stunnel 4 output and whatever output level you set
with the "debug" option will be logged.

--- Start: shell output ---
[mailserver]# cat /var/qmail/supervise/pop3sd/log/run
#!/bin/sh

exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog \
    t /var/log/qmail/pop3sd
--- End: shell output ---

Here is my multilog run file for good measure. No changes were
necessary to accomodate stunnel. My log files contain both qmail-pop3d
output and stunnel output. In fact I will begin playing around with the
"debug" option in my pop3s.conf file to decrease the stunnel output, as
there is more stunnel output than tcpserver output.

Sample log file output (my mail server's ip has been replaced with
255.255.255.255):
--- Start: shell output ---
[mailserver]# tai64nlocal < /var/log/qmail/pop3sd/current
2003-08-03 12:41:02.111057500 tcpserver: status: 1/20
2003-08-03 12:41:02.111170500 tcpserver: pid 19664 from 192.168.0.4
2003-08-03 12:41:02.111254500 tcpserver: ok 19664 0:255.255.255.255:995
:192.168.0.4::50680
2003-08-03 12:41:02.112566500 2003.08.03 12:41:02
LOG5[19664:1074019392]: stunnel 4.04 on i686-pc-linux-gnu PTHREAD with
OpenSSL 0.9.7b 10 Apr 2003
2003-08-03 12:41:02.118022500 2003.08.03 12:41:02
LOG5[19664:1074019392]: stunnel connected from 192.168.0.4:50680
2003-08-03 12:41:02.703921500 2003.08.03 12:41:02
LOG5[19664:1074019392]: Connection closed: 70 bytes sent to SSL, 55
bytes sent to socket
2003-08-03 12:41:02.704566500 tcpserver: end 19664 status 0
2003-08-03 12:41:02.704568500 tcpserver: status: 0/20
2003-08-03 12:41:02.712961500 tcpserver: status: 1/20
2003-08-03 12:41:02.713137500 tcpserver: pid 19668 from 192.168.0.4
2003-08-03 12:41:02.713218500 tcpserver: ok 19668 0:255.255.255.255:995
:192.168.0.4::50684
2003-08-03 12:41:02.714449500 2003.08.03 12:41:02
LOG5[19668:1074019392]: stunnel 4.04 on i686-pc-linux-gnu PTHREAD with
OpenSSL 0.9.7b 10 Apr 2003
2003-08-03 12:41:02.719909500 2003.08.03 12:41:02
LOG5[19668:1074019392]: stunnel connected from 192.168.0.4:50684
2003-08-03 12:41:03.215021500 2003.08.03 12:41:03
LOG5[19668:1074019392]: Connection closed: 233 bytes sent to SSL, 46
bytes sent to socket
2003-08-03 12:41:03.215453500 tcpserver: end 19668 status 0
2003-08-03 12:41:03.215472500 tcpserver: status: 0/20
--- End: shell output ---

Conclusion: This is a very straighforward way to replace stunnel 3 with
stunnel 4 for qmail-pop3d under tcpserver and daemontools. The pop3sd
service can be run with no dependence on a regular qmail-pop3d service.
In fact, on my machine there is nothing running on port 110, which is
exactly the way I like it.

Hope this helps someone,
Ryan Holmes