KB: Setting up Email Connector and Alerts Server with SSL
Important
Setting up SSL connections using Stunnel as described below is required only when using RangerMSP version 5.7 or older.
Starting with RangerMSP 6.0 SSL connections are supported directly.
See more details in Outgoing Email Settings.
Introduction
More and more email providers are switching to use SSL security protocols in order to secure their POP3 and SMTP traffic, and prevent 3rd parties from eavesdropping on your email traffic. When using Email Connector or Alerts Server, part of their setup process may include setting your POP3 and SMTP server credentials. To use RangerMSP Email Connector or RangerMSP Alerts Server with a secure POP3/SMTP server a 3rd party tool needs to be installed to allow this. This article will guide you on how to configure this with a 3rd party tool called Stunnel (http://www.stunnel.org).
When using Stunnel, the RangerMSP Email Connector and RangerMSP Alerts Server need to be configured to pull/push the messages to and from the Stunnel software using standard POP/SMTP traffic (non-secured), which in turn is configured to pull the messages from your secured server using SSL.
Using this method will effectively allow the Stunnel software to act as an extension to the Secured server. The way this works is that each time the Stunnel receives a POP3 request on the designated port, then the Stunnel software sends the Secured POP3 request to the secured server you've configured in the Stunnel.Conf file (Same for SMTP).
However, when using this method, you should note that any computer on your network will be able to use this tunnel to access your mail server without using the secured SSL protocol on your LAN (the traffic to the secure mail server is still secured). When using this method, it is best to limit the ports you use with Stunnel to only receive connections from within the system Stunnel and the RangerMSP server are installed on (127.0.0.1).
Setting up Stunnel
The first step is to download and install Stunnel from the official Stunnel website.
Once downloaded and installed on your server, the next step is to prepare the configuration file which tells the Stunnel software where your secured mail server is, and what port to listen to for the RangerMSP Server (email connector and alerts) traffic.
Preparing Stunnel.Conf
The Stunnel.Conf file has been created by the Stunnel Installation; all that needs to be done in this step is to edit it with the connection details for your mail servers.
- Please open \<Stunnel Installation Folder>\Stunnel.Conf with a text editor.
- Empty the contents and replace it with the following text:
client = yes
[pop3s]
accept = 127.0.0.1:1109
connect = <POP3.Server.Com>:995
[smtps]
accept = 127.0.0.1:259
connect = <SMTP.Server.Com>:465
protocol = smtp
Once you have added the template to Stunnel.Conf, the next step is just to change the values in the < > containers, to reflect your mail servers.
For example, if you were using Gmail's secured servers for your RangerMSP Email Connector mailbox, your Stunnel.Conf file would look like this:
client = yes
[pop3s]
accept = 127.0.0.1:1109
connect = pop.gmail.com:995
[smtps]
accept = 127.0.0.1:259
connect = smtp.gmail.com:465
protocol = smtp
Please note that if your mail server does not use the default SSL ports (995, 465), then you'll need to adjust the port numbers in this configuration file to match the ports your secured servers listen for traffic on.
Installing and running the Stunnel Service
Once the Stunnel.Conf file has been prepared, the next step is to install the Stunnel Service and run the Windows service on your server (same server where the RangerMSP Server service runs), so that the software will be ready to listen for connections from the RangerMSP Email Connector and RangerMSP Alerts Server.
- Go to Start > Run > CMD.
- Navigate to the folder where you've installed Stunnel.
- Type Stunnel.exe -install. (Confirmation window should pop up notifying you of a service installation)
- Type sc start Stunnel.
- Type exit.
Testing Stunnel Outside RangerMSP
We suggest using any standard email client software (such as MS Outlook Express®) to test and troubleshoot the Stunnel connection to and from your secure mail server, so that you can be sure that you can now pull messages from your secured server and send messages using your secured server with Stunnel - i.e. non-secure connection from your email software to the Stunnel service and secure connection to your servers implemented by Stunnel. Only after verify that Stunnel works well with an email client proceed and have it used by RangerMSP.
Set up an email account on any standard email client with the following details. Make sure you use the local ports we've configured in the accept lines of the Stunnel.Conf file. Also make sure not to use SSL in this account; we want to make sure that you can retrieve and send messages now without SSL encryption from the RangerMSP server.
POP3 server: 127.0.0.1
Pop3 port: 1109
SMTP server: 127.0.0.1
SMTP port: 259
SMTP Auth: Depends on your settings
Username: Use your regular username
Password: Use your regular password
TLS: No
SSL: No
Use the email client software to send a test message from the mailbox you've just configured to a different email box that you have access to. Put the address for your personal mailbox in the To field, add a short text body, send it, and wait to see if the message is retrieved from your RangerMSP Email Connector mailbox. Once received, reply to this message and wait to see if it returns to the RangerMSP Email Connector mailbox. If all this works, then the Stunnel software is doing its job, and decrypting your secure traffic for the RangerMSP Email Connector.
If this test works, then you should remove the email account from your email (i.e. Outlook Express® or any other email client you used for the test) and copy the settings to the RangerMSP Server.
Configuring the RangerMSP Server (RangerMSP Email Connector and RangerMSP Alerts Server)
Once we verified that Stunnel can be used to handle the SSL connections with your secured mail servers, the last step is to get the account configured in the RangerMSP Server. In order to do this, please open \RangerMSP\Server\ServerConfig.exe, and use the following settings to configure the servers.
Outgoing Mail Servers Tab
Use the following settings in the same syntax you've used in the external email client test we've just completed. The settings below tell the RangerMSP Server how to connect to your outgoing email server using Stunnel. The Server and Port information should point to the same server that is set in Stunnel.Conf SMTP Accept line, while the credentials would be the standard email box credentials (Username may require the full email address). Once you've entered the settings, run the SMTP test to see that the settings work.
SMTP server: 127.0.0.1
SMTP port: 259
SMTP Auth: Depends on your settings
Username: Use your regular username
Password: Use your regular password
If the test does not succeed, then check the settings you've typed in this tab; try to use the Full Email address (for the mailbox you're configuring) in the Username field, and try the test again. Extended connection troubleshooting can be done by analyzing the SMTP test log displayed in the window.
Email Connector Tab
Use the following settings in the same syntax you've used in the external email client test we've just completed. These settings below tell the RangerMSP Email Connector how to connect to Stunnel. The Server and Port information should point to the same server that is set in Stunnel.Conf POP3 Accept line; while the credentials would be the standard email box credentials (Username may require the full email address). Once you've entered the settings, run the POP3 test to see that the settings work.
Public Email Address: Your Public Email Address
POP3 server: 127.0.0.1
POP3 port: 1109
Username: Use your regular username
Password: Use your regular password
If the test does not succeed, then check the settings you've typed in this tab; try to use the Full Email address (for the mailbox you're configuring) in the Username field, and try the test again. Extended connection troubleshooting can be done by analyzing the SMTP test log displayed in the window.
Testing RangerMSP Email Connector with SSL
Once all the steps have been taken to properly configure Stunnel and the RangerMSP Server, the last step is to run a simulation to see that tickets are created for emails that arrive in your secured POP3 mailbox and that emails are going out using your secured SMTP server.
Note: Systems that only have the RangerMSP Alerts Server (without the RangerMSP Email Connector) should skip this section and continue to the next section; "Testing the RangerMSP Alerts Server".
Before testing the RangerMSP Email Connector, make sure that the Automated Email Response for new tickets is enabled in the ServerConfig.exe utility > Email Connector Tab > Scroll to the middle > Automated Response (Requires restarting the RangerMSP Server service to take effect). This will ensure that while we test the RangerMSP Email Connector, that we test both incoming and outgoing traffic via Stunnel.
- Create a dummy Account record in RangerMSP.
- Give the dummy account an email address that is not used anywhere else in the system (any Gmail account will do).
- Send an email message from the dummy account to the RangerMSP Email Connector Public Email Address.
- Wait for a few minutes until the email is pulled and processed by the RangerMSP Email Connector.
- Refresh your ticket screen to see the new ticket.
- Check your mailbox (that you sent the test email ticket from) and verify that the Auto Response email has been received.
Testing the RangerMSP Alerts Server
Once all the steps have been taken to properly configure Stunnel and the RangerMSP Server, the last step is to run a simulation to see that email alerts are arriving at their destinations, when sent using Stunnel.
In order to trigger the RangerMSP Alerts Server to send out an alert, please follow these next steps:
- Log into RangerMSP as a different user than your own RangerMSP user.
- Verify that you are subscribed to receive RangerMSP alerts from Tools > Options > Alerts.
- Create a new ticket.
- Change the Ticket Manager to your own employee/user and save the ticket.
- Wait for the email alert to arrive.