[NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans
Locked
[NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans
 
|
My ISP has announced termination of cleartext POP3 service on port 110 with only a few day's notice. [GASP!] To be replaced by TLS POP3 on port 995. I've used GNU Emacs' RMAIL for mail for over 20 years. It uses its own version of the movemail utility (which interoperates perfectly with Emacs' RMAIL mail reader/management feature) to fetch POP3 mail and has always just worked out of the box. But the Emacs-distro version of movemail isn't TLS capable. Skipping over why setting up the "other" version of movemail (from GNU mailutils, we can come back to that if necessary) may be non-optimal..... How does stunnel work in client mode? How do you actually *do* it? Suppose I have a /etc/stunnel/stunnel.conf file like this: [pop3] client = yes accept = 127.0.0.1:110 connect = my-isp-host.com:995 Can I then just run "stunnel" or "stunnel &" (as root) from the command line and then expect to be able to fetch email with a TLS-unaware program that tries to connect port 110? Will stunnel then run as a daemon, hook into inetd, trap all attempted connections made on localhost to port 110 at my-isp-host.com and re-route them to port 995 with TLS enabled? I don't understand the syntax or implications of the "accept" config option. On-line examples don't make it any more clear. Seems the chief purpose of stunnel is to run on a server and the documentation runs heavy to complicated stuff about certs and other server management details that don't apply to client mode. I just want to continue to use a TLS-unaware version of movemail to fetch my email. Has anybody done this? Can anybody give me cookbook directions, an explanation of how stunnel actually works, explanation of the "accept" config option or, preferably, all of those? TIA, - Mike -- Michael Spencer Nova Scotia, Canada .~. /V\ [hidden email] /( )\ http://home.tallships.ca/mspencer/ ^^-^^ The thought of having to use webmail fills me with loathing and dread. _______________________________________________ nSLUG mailing list [hidden email] http://nslug.ns.ca/mailman/listinfo/nslug |
Re: [NSLUG] Stunnel in client mode?
|
|
Sorry about mucking up the Subject: line. Now how did I do that? My post was only about stunnel, not NSLUG meetings. _______________________________________________ nSLUG mailing list [hidden email] http://nslug.ns.ca/mailman/listinfo/nslug |
Re: [NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans
|
|
In reply to this post by Mike Spencer
I'm doing something similar to reply to you. I setup some DOS packet drivers and WATTCP inside a virtual box and I'm typing this reply from PC PINE 3.91 running under MSDOS 6.22. Unfortunately PC PINE wasn't build with TLS support and I didn't really want to enable plain text IMAP on my mail server, so I used this command to setup a proxy; socat TCP4-LISTEN:143,fork openssl:mail.mckay.com:imaps I note you want to use pop3, so for that the command would be similar; socat TCP4-LISTEN:110,fork openssl:mail.yourisp.com:995 Certainly the same thing could be accomplished with stunnel somehow but I don't know the syntax off the top of my head. Cheers, Robert On Wed, 25 Mar 2020, Mike Spencer wrote: My ISP has announced termination of cleartext POP3 service on port 110 with only a few day's notice. [GASP!] To be replaced by TLS POP3 on port 995. I've used GNU Emacs' RMAIL for mail for over 20 years. It uses its own version of the movemail utility (which interoperates perfectly with Emacs' RMAIL mail reader/management feature) to fetch POP3 mail and has always just worked out of the box. But the Emacs-distro version of movemail isn't TLS capable. Skipping over why setting up the "other" version of movemail (from GNU mailutils, we can come back to that if necessary) may be non-optimal..... Has anybody done this? Can anybody give me cookbook directions, an explanation of how stunnel actually works, explanation of the "accept" config option or, preferably, all of those? _______________________________________________ nSLUG mailing list [hidden email] http://nslug.ns.ca/mailman/listinfo/nslug |
|
|
In reply to this post by Mike Spencer
Hi Mike,
On Wed, Mar 25, 2020 at 01:37:25AM -0300, Mike wrote: > > My ISP has announced termination of cleartext POP3 service on port 110 > with only a few day's notice. [GASP!] To be replaced by TLS POP3 on > port 995. > Sounds like fun... > > How does stunnel work in client mode? How do you actually *do* it? > > Suppose I have a /etc/stunnel/stunnel.conf file like this: > > [pop3] > client = yes > accept = 127.0.0.1:110 > connect = my-isp-host.com:995 > > Can I then just run "stunnel" or "stunnel &" (as root) from the > command line and then expect to be able to fetch email with a > TLS-unaware program that tries to connect port 110? Will stunnel then > run as a daemon, hook into inetd, trap all attempted connections made > on localhost to port 110 at my-isp-host.com and re-route them to port > 995 with TLS enabled? > I don't know if you can use a tls-unaware program for sending but receiving should be trivial, I think. FWIW my setup using POP3 with chebucto is to use stunnel4 and msmtp to send, and getmail4 to receive. My configs are as follows - my /etc/stunnel/stunnel.conf is: client = yes [smtp-tls-wrapper] accept = 127.0.0.1:11125 connect = smtp.chebucto.ns.ca:smtps delay = yes - my /etc/msmtp.conf is: #tls on #tls_certcheck off #tls_cert_file /etc/ssl/certs/ca-certificates.crt #tls_trust_file /etc/ssl/certs/ca-certificates.crt #tls_key_file /etc/ssl/private/ssl-cert-snakeoil.key tls_starttls off auth login port 11125 host 127.0.0.1 from [hidden email] user ay986 password ******** logfile /home/tony/log/mail.info - my ~/getmailrc for chebucto is: [options] delete=true #delete=false [retriever] type = SimplePOP3Retriever server = pop.chebucto.ns.ca username = ay986 password = ******** [destination] type = Mboxrd path = ~/mail/inbox - Perhaps more relevent for your case use is my getmailrc for gmail (which uses port 995 with tls). It is: tony@dropshot:~$ cat .getmail/gmail [options] delete=true #delete=false [retriever] type=SimplePOP3SSLRetriever server=pop.gmail.com port=995 username=******* password=******** [destination] type=Mboxrd path=~/mail/inbox - Then to get my mail I run either tony@dropshot:~$ getmail (for chebucto mail) or tony@dropshot:~$ getmail --rcfile=gmail (for gmail) Tony _______________________________________________ nSLUG mailing list [hidden email] http://nslug.ns.ca/mailman/listinfo/nslug |
Re: [NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans
|
|
In reply to this post by Mike Spencer
That's exactly what you'd do, it's just a tls wrapper so your mail
client connects to localhost:110 (that's what the accept line is for, you could change the hostname and port if you wanted, just as long as your mail client matches.) I've always used it via an inetd service, but I am unaware why you couldn't just invoke it directly. If you change accept to an unprivileged port you wouldn't need root. On 3/25/2020 12:37 AM, [hidden email] wrote: > > My ISP has announced termination of cleartext POP3 service on port 110 > with only a few day's notice. [GASP!] To be replaced by TLS POP3 on > port 995. > > I've used GNU Emacs' RMAIL for mail for over 20 years. It uses its own > version of the movemail utility (which interoperates perfectly with > Emacs' RMAIL mail reader/management feature) to fetch POP3 mail and > has always just worked out of the box. But the Emacs-distro version > of movemail isn't TLS capable. Skipping over why setting up the > "other" version of movemail (from GNU mailutils, we can come back to > that if necessary) may be non-optimal..... > > How does stunnel work in client mode? How do you actually *do* it? > > Suppose I have a /etc/stunnel/stunnel.conf file like this: > > [pop3] > client = yes > accept = 127.0.0.1:110 > connect = my-isp-host.com:995 > > Can I then just run "stunnel" or "stunnel &" (as root) from the > command line and then expect to be able to fetch email with a > TLS-unaware program that tries to connect port 110? Will stunnel then > run as a daemon, hook into inetd, trap all attempted connections made > on localhost to port 110 at my-isp-host.com and re-route them to port > 995 with TLS enabled? > > I don't understand the syntax or implications of the "accept" config > option. On-line examples don't make it any more clear. > > Seems the chief purpose of stunnel is to run on a server and the > documentation runs heavy to complicated stuff about certs and other > server management details that don't apply to client mode. I just > want to continue to use a TLS-unaware version of movemail to fetch my > email. > > Has anybody done this? Can anybody give me cookbook directions, an > explanation of how stunnel actually works, explanation of the "accept" > config option or, preferably, all of those? > > TIA, > - Mike > -- > Michael Spencer Nova Scotia, Canada .~. > /V\ > [hidden email] /( )\ > http://home.tallships.ca/mspencer/ ^^-^^ > > The thought of having to use webmail fills me with loathing and dread. > _______________________________________________ > nSLUG mailing list > [hidden email] > http://nslug.ns.ca/mailman/listinfo/nslug _______________________________________________ nSLUG mailing list [hidden email] http://nslug.ns.ca/mailman/listinfo/nslug |
[NSLUG] Re: Stunnel in client mode?
|
|
In reply to this post by Robert McKay
Robert McKay <[hidden email]> wrote: > I'm doing something similar to reply to you. I setup some DOS packet > drivers and WATTCP inside a virtual box and I'm typing this reply from PC > PINE 3.91 running under MSDOS 6.22. Wow! And I though *I* was clinging to the trailing edge of technology. > Unfortunately PC PINE wasn't build with TLS support and I didn't really > want to enable plain text IMAP on my mail server, so I used this command > to setup a proxy; > > socat TCP4-LISTEN:143,fork openssl:mail.mckay.com:imaps > > I note you want to use pop3, so for that the command would be similar; > > socat TCP4-LISTEN:110,fork openssl:mail.yourisp.com:995 Huh! Interesting. I d/l the socat package a few years ago (1.7.2.4 -- version, not 1724 AD :-) but never compiled it. The manpage is daunting. But now that you've mentioned it as a possible solution for problems I might run into, I'll keep it in mind. Tnx, - Mike PS: Are you writing from Docklands? -- Michael Spencer Nova Scotia, Canada .~. /V\ [hidden email] /( )\ http://home.tallships.ca/mspencer/ ^^-^^ _______________________________________________ nSLUG mailing list [hidden email] http://nslug.ns.ca/mailman/listinfo/nslug |
«
Return to nSLUG
|
1 view|%1 views
| Free forum by Nabble | Edit this page |