[NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans

Mike Spencer

My ISP has announced termination of cleartext POP3 service on port 110
with only a few day's notice. [GASP!] To be replaced by TLS POP3 on
port 995.

I've used GNU Emacs' RMAIL for mail for over 20 years.  It uses its own
version of the movemail utility (which interoperates perfectly with
Emacs' RMAIL mail reader/management feature) to fetch POP3 mail and
has always just worked out of the box.  But the Emacs-distro version
of movemail isn't TLS capable.  Skipping over why setting up the
"other" version of movemail (from GNU mailutils, we can come back to
that if necessary) may be non-optimal.....

How does stunnel work in client mode?  How do you actually *do* it?

Suppose I have a /etc/stunnel/stunnel.conf file like this:

   [pop3]
   client = yes
   accept = 127.0.0.1:110
   connect = my-isp-host.com:995

Can I then just run "stunnel" or "stunnel &" (as root) from the
command line and then expect to be able to fetch email with a
TLS-unaware program that tries to connect port 110?  Will stunnel then
run as a daemon, hook into inetd, trap all attempted connections made
on localhost to port 110 at my-isp-host.com and re-route them to port
995 with TLS enabled?

I don't understand the syntax or implications of the "accept" config
option.  On-line examples don't make it any more clear.

Seems the chief purpose of stunnel is to run on a server and the
documentation runs heavy to complicated stuff about certs and other
server management details that don't apply to client mode.  I just
want to continue to use a TLS-unaware version of movemail to fetch my
email.

Has anybody done this?  Can anybody give me cookbook directions, an
explanation of how stunnel actually works, explanation of the "accept"
config option or, preferably, all of those?

TIA,
- Mike
--
Michael Spencer                  Nova Scotia, Canada       .~.
                                                           /V\
[hidden email]                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

The thought of having to use webmail fills me with loathing and dread.
_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: [NSLUG] Stunnel in client mode?

Mike Spencer

Sorry about mucking up the Subject: line.  Now how did I do that?

My post was only about stunnel, not NSLUG meetings.

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: [NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans

Robert McKay
In reply to this post by Mike Spencer

I'm doing something similar to reply to you. I setup some DOS packet
drivers and WATTCP inside a virtual box and I'm typing this reply from PC
PINE 3.91 running under MSDOS 6.22.

Unfortunately PC PINE wasn't build with TLS support and I didn't really
want to enable plain text IMAP on my mail server, so I used this command
to setup a proxy;

socat TCP4-LISTEN:143,fork openssl:mail.mckay.com:imaps

I note you want to use pop3, so for that the command would be similar;

socat TCP4-LISTEN:110,fork openssl:mail.yourisp.com:995

Certainly the same thing could be accomplished with stunnel somehow but I
don't know the syntax off the top of my head.

Cheers,
Robert

On Wed, 25 Mar 2020, Mike Spencer wrote:
 
My ISP has announced termination of cleartext POP3 service on port 110
with only a few day's notice. [GASP!] To be replaced by TLS POP3 on
port 995.

I've used GNU Emacs' RMAIL for mail for over 20 years.  It uses its own
version of the movemail utility (which interoperates perfectly with
Emacs' RMAIL mail reader/management feature) to fetch POP3 mail and
has always just worked out of the box.  But the Emacs-distro version
of movemail isn't TLS capable.  Skipping over why setting up the
"other" version of movemail (from GNU mailutils, we can come back to
that if necessary) may be non-optimal.....


Has anybody done this?  Can anybody give me cookbook directions, an
explanation of how stunnel actually works, explanation of the "accept"
config option or, preferably, all of those?


_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: [NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans

Tony Rowe
In reply to this post by Mike Spencer
Hi Mike,

On Wed, Mar 25, 2020 at 01:37:25AM -0300, Mike wrote:
>
> My ISP has announced termination of cleartext POP3 service on port 110
> with only a few day's notice. [GASP!] To be replaced by TLS POP3 on
> port 995.
>
Sounds like fun...

>
> How does stunnel work in client mode?  How do you actually *do* it?
>
> Suppose I have a /etc/stunnel/stunnel.conf file like this:
>
>    [pop3]
>    client = yes
>    accept = 127.0.0.1:110
>    connect = my-isp-host.com:995
>
> Can I then just run "stunnel" or "stunnel &" (as root) from the
> command line and then expect to be able to fetch email with a
> TLS-unaware program that tries to connect port 110?  Will stunnel then
> run as a daemon, hook into inetd, trap all attempted connections made
> on localhost to port 110 at my-isp-host.com and re-route them to port
> 995 with TLS enabled?
>

I don't know if you can use a tls-unaware program for sending but
receiving should be trivial, I think.  FWIW my setup using POP3
with chebucto is to use stunnel4 and msmtp to send, and getmail4 to
receive.  My configs are as follows

- my /etc/stunnel/stunnel.conf is:

client = yes

[smtp-tls-wrapper]
accept = 127.0.0.1:11125
connect = smtp.chebucto.ns.ca:smtps
delay = yes

- my /etc/msmtp.conf is:

#tls on
#tls_certcheck off
#tls_cert_file /etc/ssl/certs/ca-certificates.crt
#tls_trust_file /etc/ssl/certs/ca-certificates.crt
#tls_key_file /etc/ssl/private/ssl-cert-snakeoil.key
tls_starttls off
auth login
port 11125
host 127.0.0.1
from [hidden email]
user ay986
password ********
logfile /home/tony/log/mail.info

- my ~/getmailrc for chebucto is:

[options]
delete=true
#delete=false

[retriever]
type = SimplePOP3Retriever
server = pop.chebucto.ns.ca
username = ay986
password = ********

[destination]

type = Mboxrd
path = ~/mail/inbox

- Perhaps more relevent for your case use is my getmailrc for gmail
(which uses port 995 with tls).  It  is:

tony@dropshot:~$ cat .getmail/gmail

[options]
delete=true
#delete=false

[retriever]
type=SimplePOP3SSLRetriever
server=pop.gmail.com
port=995
username=*******
password=********

[destination]
type=Mboxrd
path=~/mail/inbox

- Then to get my mail I run either

tony@dropshot:~$ getmail (for chebucto mail) or
tony@dropshot:~$ getmail --rcfile=gmail  (for gmail)

Tony

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: [NSLUG] Stunnel in client mode? 2020 monthly meeting re. HCC suggested future plans

Zachariah Gibbens
In reply to this post by Mike Spencer
That's exactly what you'd do, it's just a tls wrapper so your mail
client connects to localhost:110 (that's what the accept line is for,
you could change the hostname and port if you wanted, just as long as
your mail client matches.)

I've always used it via an inetd service, but I am unaware why you
couldn't just invoke it directly. If you change accept to an
unprivileged port you wouldn't need root.

On 3/25/2020 12:37 AM, [hidden email] wrote:

>
> My ISP has announced termination of cleartext POP3 service on port 110
> with only a few day's notice. [GASP!] To be replaced by TLS POP3 on
> port 995.
>
> I've used GNU Emacs' RMAIL for mail for over 20 years.  It uses its own
> version of the movemail utility (which interoperates perfectly with
> Emacs' RMAIL mail reader/management feature) to fetch POP3 mail and
> has always just worked out of the box.  But the Emacs-distro version
> of movemail isn't TLS capable.  Skipping over why setting up the
> "other" version of movemail (from GNU mailutils, we can come back to
> that if necessary) may be non-optimal.....
>
> How does stunnel work in client mode?  How do you actually *do* it?
>
> Suppose I have a /etc/stunnel/stunnel.conf file like this:
>
>     [pop3]
>     client = yes
>     accept = 127.0.0.1:110
>     connect = my-isp-host.com:995
>
> Can I then just run "stunnel" or "stunnel &" (as root) from the
> command line and then expect to be able to fetch email with a
> TLS-unaware program that tries to connect port 110?  Will stunnel then
> run as a daemon, hook into inetd, trap all attempted connections made
> on localhost to port 110 at my-isp-host.com and re-route them to port
> 995 with TLS enabled?
>
> I don't understand the syntax or implications of the "accept" config
> option.  On-line examples don't make it any more clear.
>
> Seems the chief purpose of stunnel is to run on a server and the
> documentation runs heavy to complicated stuff about certs and other
> server management details that don't apply to client mode.  I just
> want to continue to use a TLS-unaware version of movemail to fetch my
> email.
>
> Has anybody done this?  Can anybody give me cookbook directions, an
> explanation of how stunnel actually works, explanation of the "accept"
> config option or, preferably, all of those?
>
> TIA,
> - Mike
> --
> Michael Spencer                  Nova Scotia, Canada       .~.
>                                                             /V\
> [hidden email]                                     /( )\
> http://home.tallships.ca/mspencer/                        ^^-^^
>
> The thought of having to use webmail fills me with loathing and dread.
> _______________________________________________
> nSLUG mailing list
> [hidden email]
> http://nslug.ns.ca/mailman/listinfo/nslug

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

[NSLUG] Re: Stunnel in client mode?

Mike Spencer
In reply to this post by Robert McKay

Robert McKay <[hidden email]> wrote:

> I'm doing something similar to reply to you. I setup some DOS packet
> drivers and WATTCP inside a virtual box and I'm typing this reply from PC
> PINE 3.91 running under MSDOS 6.22.

Wow! And I though *I* was clinging to the trailing edge of technology.

> Unfortunately PC PINE wasn't build with TLS support and I didn't really
> want to enable plain text IMAP on my mail server, so I used this command
> to setup a proxy;
>
> socat TCP4-LISTEN:143,fork openssl:mail.mckay.com:imaps
>
> I note you want to use pop3, so for that the command would be similar;
>
> socat TCP4-LISTEN:110,fork openssl:mail.yourisp.com:995

Huh!  Interesting.  I d/l the socat package a few years ago (1.7.2.4
-- version, not 1724 AD :-) but never compiled it.  The manpage is
daunting.

But now that you've mentioned it as a possible solution for problems I
might run into, I'll keep it in mind.

Tnx,
- Mike

PS: Are you writing from Docklands?

--
Michael Spencer                  Nova Scotia, Canada       .~.
                                                           /V\
[hidden email]                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^
_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug