stunnel

On the premise “I need to do something utterly useless”, today I enabled SSL on our IRC-server. Since the Dancer IRCd can’t do SSL (at least, as far as I know), I used stunnel to get it to work. The steps to do this are fairly simple, though I did have to spend some time working on a correct config and SSL-certificate. I’ll detail the steps below. For your information, we’re running FreeBSD as our irc-server.

• First, create a SSL-certificate. You can do so with the standard OpenSSL tools. I used the command:

  openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem

  I’m not exactly certain if this is the right command to create the document I need, since you need to manually combine those to files. Just do:

  cat key.pem > stunnel.pem; cat req.pem >> stunnel.pem

  Then edit the resulting file (stunnel.pem) en make an empty line between both the lines:

  -----END RSA PRIVATE KEY-----

  and

  -----BEGIN CERTIFICATE-----

  We’re all set to go, now.

• Now, create the stunnel.conf file. Mine looks like this, replace the values as you need them, though:
  

  cert = /usr/local/etc/stunnel/stunnel.pem
chroot = /tmp/

  pid = /stunnel.pid

  setuid=stunnel
  setgid=stunnel

  client=no

  [ircssl]
accept = 7000
connect = irc.cidev.nl:6667

  If you’re on a Linux-host, you probably want to add as the final line:

  transparent = yes

  It’ll try to give people their proper host. Not that it’s really that important. The documents tell me this only works on Linux, though.

• Since I’m on FreeBSD and I want the tunnel to start on boot-up, I need to edit /etc/rc.conf. I add the lines:
  

  stunnel_enable="yes"
stunnel_pidfile="/tmp/stunnel.pid"

  Don’t forget to change the location of the pidfile!

• Now, start stunnel with
  

  /usr/local/etc/rc.d/stunnel start

  and all should work well. You’ll be asked the password you entered when you created the certificate. This means of course that the next time you start the machine, you’ll need to manually enter this command again to start stunnel. It’s possible though to put the password in a special file, but at the moment I’m too lazy to figure that out.

• Connect to port 7000 with
  

  /sslserver irc.cidev.nl 7000

  from within your irc-client and all should be well. Of course, you’ll get a SSL-error, since the certificate is self-signed, but we don’t really care about that :)

• Done and done.

Of course, you want to have stunnel working on the same box as the irc-server, since the connection from stunnel to the irc-server is unencrypted. But you knew that, right?

Productive today

It seems we’ve been quite productive today. Not only did we finish the core functionality of B3, but we’ve also finished a rapport about the research we’ve done the last week. Quite on schedule, it was planned for tomorrow. So now I’m able to work a little bit on the Plan of Approach for the following fases of that project. It’s a nice day.

Tags: work

Cyrus IMAPd + SIEVE (2)

Sometimes I just need to try a bit more before I complain about stuff not working ;-) Everything works as it’s supposed to. The vacation-messages are sent, as ordered. Another job well done.

Tags: work

Cyrus IMAPd + SIEVE

Okay, I’m much further now. As I stated earlier, Cyrus is working now and Postfix is actually delivering the message to the correct queue. So now I can mail myself. Next step.

Since we need Squirrelmail together with avelsieve, the SIEVE plugin for Squirrelmail, I installed those and they seem to work. Seem, because I setup a vacation-message in avelsieve for my user and it didn’t trigger or at least didn’t send me a message back when I mailed myself. Ah well, next problem to fix. Ideas are welcome, of course.

Tags: work