I've been fighting with stunnel, trying to get its transparent proxy support
to work. No matter what I do, as soon as transparent = source support is
turned on, tests with my mail client just time out.
If I turn transparent proxy support off it works but appears as if
connections are from localhost, which is undesirable.
My goal is to have stunnel listen on *:465 and provide SSL protected
connectivity, which appear to arrive from the remote client IP, on my mail server's
external IP address on port 25. My mail server and the firewall with the
rules on it are the same physical machine.
Can someone please make some suggestions as to what else I can try to get
this working?
I'm running Linux 2.6.38 on a current CentOS/rhel5 box and I've got modules
built for most netfilter options, including:
NF_CONNTRACK=m
NETFILTER_TPROXY=m
NETFILTER_XT_MATCH_SOCKET=m
NETFILTER_XT_TARGET_TPROXY=m
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/ip_forward = 1
This is my stunnel config:
cert = /etc/stunnel/assps.crt
key = /etc/stunnel/assps.key
pid = /var/run/stunnel/stunnel_smtps.pid
verify = 0
debug = 7
output = /var/log/stunnel_smtps.log
TIMEOUTconnect = 60
[smtps]
accept = 465
connect = MY_EXTERNAL_IP:25
transparent = source
My stunnel seems happy with the DH Parameters in my cert file.
My firewall relevant rules:
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
# stunnel -version
stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 July 2008
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options
debug = daemon.notice
pid = /var/run/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /etc/stunnel/stunnel.pem
ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
curve = sect163r2
session = 300 seconds
stack = 65536 bytes
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
# stunnel -sockets
Socket option defaults:
Option Accept Local Remote OS default
SO_DEBUG -- -- -- 0
SO_DONTROUTE -- -- -- 0
SO_KEEPALIVE -- -- -- 0
SO_LINGER -- -- -- 0:0
SO_OOBINLINE -- -- -- 0
SO_RCVBUF -- -- -- 87380
SO_SNDBUF -- -- -- 16384
SO_RCVLOWAT -- -- -- 1
SO_SNDLOWAT -- -- -- 1
SO_RCVTIMEO -- -- -- 0:0
SO_SNDTIMEO -- -- -- 0:0
SO_REUSEADDR 1 -- -- 0
SO_BINDTODEVICE -- -- -- --
TCP_KEEPCNT -- -- -- 9
TCP_KEEPIDLE -- -- -- 7200
TCP_KEEPINTVL -- -- -- 75
IP_TOS -- -- -- 0
IP_TTL -- -- -- 64
TCP_NODELAY -- -- -- 0
Here is the log file with the connection timeout:
2011.03.20 15:26:43 LOG5[23214:3073877712]: Reading configuration from file /etc/stunnel/stunnel-assp_smtps.conf
2011.03.20 15:26:43 LOG7[23214:3073877712]: Snagged 64 random bytes from /root/.rnd
2011.03.20 15:26:43 LOG7[23214:3073877712]: Wrote 1024 new random bytes to /root/.rnd
2011.03.20 15:26:43 LOG7[23214:3073877712]: PRNG seeded successfully
2011.03.20 15:26:43 LOG7[23214:3073877712]: Using DH parameters from /etc/stunnel/assps.crt
2011.03.20 15:26:43 LOG6[23214:3073877712]: DH initialized with 512 bit key
2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate: /etc/stunnel/assps.crt
2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate loaded
2011.03.20 15:26:43 LOG7[23214:3073877712]: Key file: /etc/stunnel/assps.key
2011.03.20 15:26:43 LOG7[23214:3073877712]: Private key loaded
2011.03.20 15:26:43 LOG7[23214:3073877712]: SSL context initialized for service smtps
2011.03.20 15:26:43 LOG5[23214:3073877712]: Configuration successful
2011.03.20 15:26:43 LOG5[23214:3073877712]: No limit detected for the number of clients
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=3 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=8 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=9 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=10 allocated (blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: accept socket: FD=11 allocated (non-blocking mode)
2011.03.20 15:26:43 LOG7[23214:3073877712]: Option SO_REUSEADDR set on accept socket
2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps bound to 0.0.0.0:465
2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps opened FD=11
2011.03.20 15:26:44 LOG7[23220:3073877712]: Created pid file /var/run/stunnel/stunnel_smtps.pid
2011.03.20 15:26:44 LOG5[23220:3073877712]: stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
2011.03.20 15:26:44 LOG5[23220:3073877712]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2011.03.20 15:26:56 LOG7[23220:3073877712]: local socket: FD=0 allocated (non-blocking mode)
2011.03.20 15:26:56 LOG7[23220:3073877712]: Service smtps accepted FD=0 from MY_TESTING_CLIENT_IP:56765
2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps started
2011.03.20 15:26:56 LOG7[23220:3073874832]: Option TCP_NODELAY set on local socket
2011.03.20 15:26:56 LOG7[23220:3073874832]: Waiting for a libwrap process
2011.03.20 15:26:56 LOG7[23220:3073874832]: Acquired libwrap process #0
2011.03.20 15:26:56 LOG7[23220:3073874832]: Releasing libwrap process #0
2011.03.20 15:26:56 LOG7[23220:3073874832]: Released libwrap process #0
2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps permitted by libwrap from MY_TESTING_CLIENT_IP:56765
2011.03.20 15:26:56 LOG5[23220:3073874832]: Service smtps accepted connection from MY_TESTING_CLIENT_IP:56765
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): before/accept initialization
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client hello A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write server hello A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate request A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client key exchange A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read finished A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write change cipher spec A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write finished A
2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data
2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 items in the session cache
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects (SSL_connect())
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects that finished
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client renegotiations requested
2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects (SSL_accept())
2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects that finished
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 server renegotiations requested
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache hits
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 external session cache hits
2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache misses
2011.03.20 15:26:57 LOG7[23220:3073874832]: 0 session cache timeouts
2011.03.20 15:26:57 LOG6[23220:3073874832]: SSL accepted: new session negotiated
2011.03.20 15:26:57 LOG6[23220:3073874832]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2011.03.20 15:26:57 LOG7[23220:3073874832]: remote socket: FD=1 allocated (non-blocking mode)
2011.03.20 15:26:57 LOG6[23220:3073874832]: local_bind succeeded on the original port
2011.03.20 15:26:57 LOG6[23220:3073874832]: connect_blocking: connecting MY_EXTERNAL_IP:25
2011.03.20 15:26:57 LOG7[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: waiting 60 seconds
2011.03.20 15:27:57 LOG3[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: TIMEOUTconnect exceeded
2011.03.20 15:27:57 LOG5[23220:3073874832]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2011.03.20 15:27:57 LOG7[23220:3073874832]: Service smtps finished (0 left)
2011.03.20 15:29:21 LOG7[23220:3073877712]: Dispatching signals from the signal pipe
2011.03.20 15:29:21 LOG5[23220:3073877712]: Received signal 15; terminating
2011.03.20 15:29:21 LOG7[23220:3073877712]: removing pid file /var/run/stunnel/stunnel_smtps.pid
The only even slightly odd thing I see other than the timeouts is the
" 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate"
I'm not sure what that is about, but it doesn't seem critical...