NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
HowTo: Stunnel on the Readynas
This is a guide to utilize Stunnel to establish an SSL connection with your SMTP provider, in my case, Gmail. In turn, I am using Stunnel to manage connections made by a printer/copier/scanner/emailer on my network that doesn't support SSL over smtp. Also, I needed Stunnel to run on startup of the Readynas, those steps are included as well. I considered using the Readynas SDK and building a web interface for the service... command line for me was a better choice because I'd rather learn this way. Maybe someone else could do that for us all. :)
You will also need root access, you can get this add-on from readynas.com in the add-ons section. Also get the Apt-get package manager that is not on the readynas by default. Then update apt and install stunnel:
I purchased a Samsung print/copy/scan/emailer for my Mom. The dumb thing doesnt support SSL over smtp. :x So we need to channel through a solution like Stunnel. The past couple of days I spent playing with Stunnel on and off. Finally it is functional including on startup. (I have no idea how reliable it is however, but i do confirm I have a link to smtp.gmail.com:465 on startup). And the fact that I powerdown @ 11:30pm and up @ 8:00am, will probably help its reliability in a roundabout way.
First I found that this command was best because there were issues with stunnel running on anything related to localhost, in regards to remote devices on the LAN/WAN being able to talk to it.
-- The code section being the LAN IP of my Readynas, insert your own ip for testing. Port 9999 being the port that I chose to use for my Samsung Scanner/copier/printer/emailer to smtp on to the readynas, you can really choose any TCP port that isn't in use. I think I used 9999 because it was mentioned in an example on www.stunnel.org, so it just stuck.
For reference, go ahead and enter a line into /etc/services that describes your port, I just put it at the bottom of the whole file, make sure you check first to see that the port you have in mind isn't already entered in /etc/services with:
My entry:
Next I needed to figure out how to get it running on startup. I fumbled with /etc/inetd.conf for quite a while, still not quite sure what it expects, I think it has more to do with the fact that I truly don't know how inetd works. So I walked away from that after hours of testing.
Next, I came across a startup script on www.stunnel.org that could be used in init.d. This was really good because it allowed me to run stunnel in Daemon mode, which I proved in the earlier command worked with the -d option
-- I created a script called: stunnel in /etc/init.d and gave it executable access, in this case, 755.
--
--
--
-- Below is the script to copy and paste into /etc/init.d/stunnel
-- make sure you adjust IP and port to reflect your Readynas LAN IP and the Port you decided to use.
You will also need a .pem file that includes your certificate and key for stunnel. For testing purposes I am still using the one I generated @ www.stunnel.org/pem. However I intend to use this documentation to build my own when I have time: http://www.debian-administration.org/articles/284. Place the pem file wherever you want, in my case I stuck with how default setup. I placed it in /etc/ssl/certs/.
Finally we need to add our stunnel script found in: /etc/init.d/ to startup. We use: the update-rc.d command to create symbolic links. Here I made sure I was in the /etc/init.d/ directory when I ran the command,
This will spam by a few lines. Once this is complete, you are done. (Assuming I remembered all the steps).
Test this by doing: shutdown -r now (this will reboot your readynas)
Like I said earlier, I have no idea how reliable Stunnel is for this use. However it seems like a solid solution, so it shouldn't crash much. And, again, I shutdown daily as my Readynas has no use in the middle of the night usually. Now I just need to configure my printer/copier/scanner/emailer to send mail to: 192.168.99.100 on port 9999. The device also supports authentication, here I will enter my gmail crediential info.
As far as how secure this setup is, www.stunnel.org recommends using chroot jailing, but I haven't gotten that far yet.
Cheers! :D
My sources:
http://www.stunnel.org/examples/chroot.html -- where I found the script, (I ended up modifying the source function library line to reflect where the readynas's was located, as well as the stunnel command that it runs, and the restart lines were looking in the wrong files for our setup)
http://www.stunnel.org/pem/ -- generate a .pem for testing
http://www.debian-administration.org/articles/28 -- update-rc.d command
http://www.debian-administration.org/articles/284 -- Create self signed certificates / keys
You will also need root access, you can get this add-on from readynas.com in the add-ons section. Also get the Apt-get package manager that is not on the readynas by default. Then update apt and install stunnel:
apt-get update
apt-get install stunnel
I purchased a Samsung print/copy/scan/emailer for my Mom. The dumb thing doesnt support SSL over smtp. :x So we need to channel through a solution like Stunnel. The past couple of days I spent playing with Stunnel on and off. Finally it is functional including on startup. (I have no idea how reliable it is however, but i do confirm I have a link to smtp.gmail.com:465 on startup). And the fact that I powerdown @ 11:30pm and up @ 8:00am, will probably help its reliability in a roundabout way.
First I found that this command was best because there were issues with stunnel running on anything related to localhost, in regards to remote devices on the LAN/WAN being able to talk to it.
/usr/sbin/stunnel -c -d 192.168.99.100:9999 -r smtp.gmail.com:465
-- The code section being the LAN IP of my Readynas, insert your own ip for testing. Port 9999 being the port that I chose to use for my Samsung Scanner/copier/printer/emailer to smtp on to the readynas, you can really choose any TCP port that isn't in use. I think I used 9999 because it was mentioned in an example on www.stunnel.org, so it just stuck.
For reference, go ahead and enter a line into /etc/services that describes your port, I just put it at the bottom of the whole file, make sure you check first to see that the port you have in mind isn't already entered in /etc/services with:
cat /etc/services |grep <port number without brackets>
My entry:
stunnel 9999/tcp # Stunnel service port
Next I needed to figure out how to get it running on startup. I fumbled with /etc/inetd.conf for quite a while, still not quite sure what it expects, I think it has more to do with the fact that I truly don't know how inetd works. So I walked away from that after hours of testing.
Next, I came across a startup script on www.stunnel.org that could be used in init.d. This was really good because it allowed me to run stunnel in Daemon mode, which I proved in the earlier command worked with the -d option
-- I created a script called: stunnel in /etc/init.d and gave it executable access, in this case, 755.
--
touch /etc/init.d/stunnel
--
chmod 755 /etc/init.d/stunnel (read/write/execute for root, read and execute for group and user)
--
vi /etc/init.d/stunnel
-- Below is the script to copy and paste into /etc/init.d/stunnel
-- make sure you adjust IP and port to reflect your Readynas LAN IP and the Port you decided to use.
#!/bin/sh
#
# stunnel Start/Stop the stunnel daemons
#
# description: stunnel is a script that runs stunnel daemons
# version 1.00
#
# chkconfig: 345 40 60
# processname: stunnel
# Source function library.
. /frontview/bin/functions
# See how we were called.
case "$1" in
start)
echo -n "Starting stunnel services: "
/usr/sbin/stunnel -c -p /etc/ssl/certs/stunnel.pem \
-d 192.168.99.100:9999 -r smtp.gmail.com:465
echo
;;
stop)
echo -n "Stopping stunnel services: "
killproc stunnel
echo
;;
status)
status stunnel
;;
restart)
/etc/init.d/stunnel stop
/etc/init.d/stunnel start
;;
*)
echo "Usage: stunnel {start|stop|status|restart}"
exit 1
esac
exit 0
You will also need a .pem file that includes your certificate and key for stunnel. For testing purposes I am still using the one I generated @ www.stunnel.org/pem. However I intend to use this documentation to build my own when I have time: http://www.debian-administration.org/articles/284. Place the pem file wherever you want, in my case I stuck with how default setup. I placed it in /etc/ssl/certs/.
Also ran: chmod 600 /etc/ssl/certs/stunnel.pem. (read/write for root). Make sure that in the above script you adjust the pem location to reflect where you decided to place it.
Finally we need to add our stunnel script found in: /etc/init.d/ to startup. We use: the update-rc.d command to create symbolic links. Here I made sure I was in the /etc/init.d/ directory when I ran the command,
cd /etc/init.d/
Type: update-rc.d stunnel defaults
This will spam by a few lines. Once this is complete, you are done. (Assuming I remembered all the steps).
Test this by doing: shutdown -r now (this will reboot your readynas)
Like I said earlier, I have no idea how reliable Stunnel is for this use. However it seems like a solid solution, so it shouldn't crash much. And, again, I shutdown daily as my Readynas has no use in the middle of the night usually. Now I just need to configure my printer/copier/scanner/emailer to send mail to: 192.168.99.100 on port 9999. The device also supports authentication, here I will enter my gmail crediential info.
As far as how secure this setup is, www.stunnel.org recommends using chroot jailing, but I haven't gotten that far yet.
Cheers! :D
My sources:
http://www.stunnel.org/examples/chroot.html -- where I found the script, (I ended up modifying the source function library line to reflect where the readynas's was located, as well as the stunnel command that it runs, and the restart lines were looking in the wrong files for our setup)
http://www.stunnel.org/pem/ -- generate a .pem for testing
http://www.debian-administration.org/articles/28 -- update-rc.d command
http://www.debian-administration.org/articles/284 -- Create self signed certificates / keys
3 Replies
Replies have been turned off for this discussion
- Thanks very much for these instructions!
I am seriously considering buying a printer/scanner all-in-one that has the same SSL issue. I was planning to use the Duo's own SMTP server rather than bothering with STUNNEL (http://www.readynas.com/forum/viewtopic.php?f=7&t=60109&p=337497#p337497), but am reconsidering now.
Has going this route worked as well as you'd hoped?
Thanks. - eponymous... its bullet proof. (knock on wood).
let me know if you have any questions, ill try to support. You can contact me @ wmartindale at gmail dot com as needed.
-Will
Just a heads up, in this configuration... on your printer you will fill in the username / password of the account you want to SMTP with.
IE:
username: user1234@gmail.com
pass: <your password>
Stunnel is simply a secure gateway to your smtp provider so that you can authenticate and send :)eponymous wrote: Thanks very much for these instructions!
I am seriously considering buying a printer/scanner all-in-one that has the same SSL issue. I was planning to use the Duo's own SMTP server rather than bothering with STUNNEL (viewtopic.php?f=7&t=60109&p=337497#p337497), but am reconsidering now.
Has going this route worked as well as you'd hoped?
Thanks. - Will,
I implemented stunnel following your instructions and all seems well. The printer can send scans as email attachments using a Gmail account I created for it.
I believe the only place I deviated was not specifying a PEM file ("-p /etc/ssl/certs/stunnel.pem") in /etc/init.d/stunnel. It seems that PEM files can no longer be generated at stunnel.org. There was just a mysterious notation that one would be automatically generated during installation. I also got the impression that I might not need it. So far, I've not noticed any problems with leaving it out.
Thanks again.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
