Forums

Resolved
0 votes
Hi All,

I use stunnel from repository clearos-core to securely wrap emails from my fax machine, which does not support any email security itself.

A while ago, my mail provider deactivated SSL3 in response to the recent security threats and my stunnel stopped working.

In looking at it I found that the stunnel version provided in resository clearos-core is 4.29-3 which according to the stunnel changelog dates back from December 2009 (!) and does not support suppression of the insecure SSL protocols.

My question now is if there are any plans to update the clearos-core stunnel version anytime in the near(er) future?

Thanks in advance!
Ingmar
Wednesday, December 10 2014, 05:55 PM
Share this post:
Responses (5)
  • Accepted Answer

    Wednesday, March 01 2017, 09:24 PM - #Permalink
    Resolved
    0 votes
    Found it. Postfix gained "TLS wrapper mode" support with v3.0.0 - see last entry in Release Notes. ClearOS 7.x still has Postfix 2.10.1 and 6.x is behind that, I believe.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 01 2017, 08:26 PM - #Permalink
    Resolved
    0 votes
    In general, el7 and centos7 packages should work on ClearOS7.x. The main exception is kernel modules which won't work, but there is always a small risk involved. ClearOS even make available the centos repos to us in morror repos like clearos-centos. Stunnel 5.40 is not in any of these mirrors. As it is a third party file, obivously the risk is greater but I would expect it to work.

    I used to use stunnel as my ISP tried to force us to use SMTPS, but they backed down. At the same time I started a thread with the postfix guys on their mailing list and they implemented SMTPS. I can't remember which version of postfix you need bit I think it is one later than whatever ClearOS7 has.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 01 2017, 07:09 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick for taking the time to answer. I really appreciate it.

    My Email Server is an ISP hosted MS Exchange setup and for the longest time they only supported SSL and not STARTTLS, no idea why. However, made curious by your comment I just checked and lo and behold, once I specified protocol=smtp to coerce the server into listening for plain text at first and only then switching to STARTTLS, it worked like a charm with port 587.

    Thanks also for pointing out the CentOS 7 stunnel 5.40 package on pkgs.org. How compatible are CentOS<>ClearOS really when it comes to rpms? For instance, is a CentOS "7" package an indication that this should work with COS7, etc.?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 01 2017, 12:56 PM - #Permalink
    Resolved
    0 votes
    I've removed the resolved tag.

    clearos-centos is only a mirror of the Centos repo. To get it updated would mean getting upstream to update their package. It is not really up to ClearOS unless they choose to provide the package independently. FWIW pkgs.org have a 5.40 version for Centos6 and 7 which may work.

    Does your ISP support STARTTLS on port 587 as well as SMTPS on 465? SMTPS was never a ratified standard, but it does not stop ISP's from using it. The ratified standard is STARTTLS which is natively supported by postfix. SMTPS will be supported by Postfix but I am not sure if the patches even made it to the version in ClearOS7.

    As a work round for POPS, you could set up a user/mailbox in ClearOS and use fetchmail to fetch the mail from an external provider with POPS and the fax machine then just polls the account on ClearOS with POP.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 01 2017, 09:52 AM - #Permalink
    Resolved
    1 votes
    Hi All,

    I am not sure how the above post (by me) got a "Resolved" tag, since this issue is clearly not resolved...

    As of today, the stunnel version available in the clearos-centos repository is 4.29-6.el6, which by now is more than 7 years old and if you look at the stunnel version list at https://www.stunnel.org/versions.html you will find that not only are they at version 5.40 by now, but also that there are many (!!) medium and high risk advisories attached to the versions between 4.29 and 5.40.

    I may well be barking up the wrong tree and simply not understand how you handle updating repository listed software, but even in that case perhaps someone from the dev team could quickly set me straight and give a pointer to how things are done.

    Having said that, it is of course not rocket science to setup stunnel oneself and I am currently using 5.40 on my ClearOS 6.8 server, so here are some simple instructions for this...

    Compiling stunnel from source to get latest package
     1. Download latest package from 'https://www.stunnel.org/downloads.html'
     2. Unpack e.g. to '/root/downloads/' (with gunzip and tar xvf)
     3. If not already present install gcc and openssl-devel with yum install gcc and yum install openssl-devel
     4. Since ClearOS installs openssl includes to /usr/include/openssl call './configure' in the stunnel directory with '--with-ssl=/usr'
        i.e. './configure --with-ssl=/usr'
     5. Call 'make' and 'make install' to build and install stunnel.
     6. If desired call 'make check' to test the freshly built binaries in the source location.
     7. If desired call 'make installcheck' to test them at their final locations.
     8. Remove stunnel binaries and object files from the source directory with 'make clean'
     9. Remove also files created by configure with 'make distclean'.
    10. If ever desired, complete removal of all files installed by 'make install' above with 'make uninstall'.

    Install init script by Riccardo Riva
    1. Copy the init script from http://www.riccardoriva.com/blog/?p=1047 to text file.
    2. Apply the changes by Kenneth Holter (Comment #2), which make the start function check for both lock file and pid.
    3. Note: The default installation path for the stunnel package is /usr/local/bin/stunnel, so paths in the init script must be changed accordingly.
    4. Change rights of /etc/init.d/stunnel to 755.
    5. Create stunnel entries for runlevel startup with /sbin/chkconfig --add stunnel

    Example of /etc/stunnel/stunnel.conf
    client=yes
    [smtp]
    accept=25
    connect=smtp.myemailprovider.com:465
    [pop]
    accept=110
    connect=pop.myemailprovider.com:995
    ... which accepts SMTP and POP on insecure ports 25 and 110 and relays them to SSL ports 465 and 995 on your ISPs email server.
    The reply is currently minimized Show
Your Reply