[Ednote: See the website listed for the majority of the information available with the patch.] Date: 24 Jan 2003 11:55:05 -0500 From: Scott Gifford Eben writes: > I prefer running stunnel 4.x as a service under daemontools. > I haven't been able to get it's logging running as a service however, > see > http://marc.theaimsgroup.com/?l=stunnel-users&m=104086103019110&w=2. I have stunnel 3 working under daemontools OK, although with some patches. I haven't tried stunnel 4 yet. I have a page about my stunnel patches at: http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html which includes my qmail-pop3d runfile. Hope this helps, ----ScottG. [Ednote: the following is snagged from http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel3.22-sg2.README which has more details. See the acutal link, since this version is not in sync with any changes he makes.] In the process of making stunnel work exactly how I want it to with qmail, I came up with some patches. You can get information about what I'm working on at: http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html Originally, this was several different patches; that was annoying to maintain, so I've combined them into one big patch. I'll be happy to try splitting this back up again if people would find it useful. * Paranoia Changes These changes allow stunnel to run more securely in some situations, by accepting a flag which causes stunnel to chroot immediately after starting, and another flag which causes stunnel to do the setuid/setgid calls immediately, instead of waiting until after the sockets are open. The flags added are: -/ chroot-dir: chroot(chroot-dir) as soon as starting up. Note that any files or directories you require, such as the PID directory, must be created within the new root. Additionally, you must create a fake path within your chroot directory to contain the openssl configuration file. -i: setuid()/setgid() immediately, instead of waiting until after listening on the socket. Additionally, these changes makes the UID and GID given to the -s and -g option be used directly as UIDs instead of being looked up in /etc/passwd or /etc/group if they consist entirely of numbers. = Changes since original Numeric UIDs/GIDs are now supported even if the "-i" flag isn't used. * OpenFD Changes These changes allow stunnel to do secure forwarding to a file descriptor, instead of to a local program or a remote program. It only makes sense to use this in conjunction with the -f flag, under something like inetd or tcpserver. It is your responsibility to have the file descriptor opened when stunnel is run. The flag added is: -F fd: Do secure forwarding to file descriptor fd. This descriptor must be a socket, since two-way communications are required. Information about a program which will set up the socket and file descriptor properly is avaialble in smtp-tls.README. = Changes since original version None. * Protocol Changes IMAP client and server support is added. This patch adds support for "plaintext passthrough" for the SMTP, POP3, and IMAP protocols in server mode, if the protocol name given to the -n flag is followed by a minus sign (such as "-n pop3-"). Plaintext passthrough watches for commands which determine capabilities (EHLO, CAPA, CAPABILITY) and start TLS (STARTTLS, STLS), . If a command to start TLS is seen, stunnel switches to TLS mode and becomes a TLS proxy. If any other command is received, TLS capabilities are disabled, and stunnel becomes a simple proxy, passing all data through unmodified. If plaintext-passthrough isn't requested by the command-line options, the connection will be dropped upon receipt of any non-TLS and non-capability command. Capability probe commands (EHLO, CAPA, CAPABILITY) are augmented to get the capabilities of the original server (by passing along the command sent by the client), and add the TLS capability to it in a protocol-appropriate way. = Changes since original version IMAP support added Plaintext passthrough added for POP3, IMAP Bugs in original patch involving line-endings are fixed Bugs in original patch involving blank lines are fixed fdgets, fdputs, and fdwrite are added Plaintext passthrough is only used when protocol is followed by a minus sign. For example, "-n smtp-".