Cox has been warning us that as of next week, we need to use encrypted POP
and SMTP. I have two reasons to use stunnel now:
1) I use the K9 Bayesian email proxy for spam filtering, and it doesn't
do TLS
2) My wife still uses Eudora and doesn't want to switch, and while
Eudora allegedly supports TLS, it's not trivial to make it work (and Cox
certainly won't help)
Thus stunnel looks like an ideal solution. But after tinkering for a few
hours on two machines, I'm stumped.
While I can type an SMTP or POP transaction in my sleep, I'm not so good at
typing a TLS handshake, so I'm using Outlook 2013 as my test platform (and
that's what I'll be using myself later anyway). I setup a new account, point
to the right ports on 127.0.0.1, and the test times out, with:
Log onto incoming mail server (POP3): The operation timed out waiting for a
response from the receiving (POP) server. If you continue to receive this
message, contact your server administrator or Internet service provider
(ISP).
Send test e-mail message: The operation timed out waiting for a response
from the sending (SMTP) server. If you continue to receive this message,
contact your server administrator or Internet service provider (ISP).
Here's my stunnel.conf, with blank lines and comments removed:
client = yes
output = C:\temp\stunnel-log.txt
taskbar = yes
debug = 7
[POP3 Incoming]
protocol = pop3
accept = 127.0.0.1:1110
connect = pop.cox.net:995
protocol = smtp
accept = 127.0.0.1:25
connect = smtp.cox.net:465
Yes, that's port 1110, since K9 is using 110. Shouldn't matter, right? (As
long as I point the client at 1110, obviously!)
Yes, I have protocol = pop3 and protocol = smtp; I've tried commenting them
out individually, no change that I can see.
Yes, I'm running stunnel explicitly, not as a service-I found threads
suggesting that it just doesn't work as a service on Windows 7 for some
reason (and in fact beat my head against that wall for a while first).
And here's the stunnel log:
2018.01.17 21:29:24 LOG7[main]: Running on Windows 6.1
2018.01.17 21:29:24 LOG7[main]: No limit detected for the number of clients
2018.01.17 21:29:24 LOG5[main]: stunnel 5.44 on x86-pc-msvc-1500 platform
2018.01.17 21:29:24 LOG5[main]: Compiled/running with OpenSSL 1.0.2m-fips 2
Nov 2017
2018.01.17 21:29:24 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2018.01.17 21:29:24 LOG7[main]: errno: (*_errno())
2018.01.17 21:29:24 LOG7[ui]: GUI message loop initialized
2018.01.17 21:29:24 LOG7[main]: Running on Windows 6.1
2018.01.17 21:29:24 LOG5[main]: Reading configuration from file stunnel.conf
2018.01.17 21:29:24 LOG5[main]: UTF-8 byte order mark not detected
2018.01.17 21:29:24 LOG5[main]: FIPS mode disabled
2018.01.17 21:29:24 LOG7[main]: Compression disabled
2018.01.17 21:29:24 LOG7[main]: Snagged 64 random bytes from C:/.rnd
2018.01.17 21:29:24 LOG7[main]: Wrote 0 new random bytes to C:/.rnd
2018.01.17 21:29:24 LOG7[main]: PRNG seeded successfully
2018.01.17 21:29:24 LOG6[main]: Initializing service [POP3 Incoming]
2018.01.17 21:29:24 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.01.17 21:29:24 LOG7[main]: TLS options: 0x03000004 (+0x03000000,
-0x00000000)
2018.01.17 21:29:24 LOG7[main]: No certificate or private key specified
2018.01.17 21:29:24 LOG4[main]: Service [POP3 Incoming] needs authentication
to prevent MITM attacks
2018.01.17 21:29:24 LOG5[main]: Configuration successful
2018.01.17 21:29:24 LOG7[main]: Binding service [POP3 Incoming]
2018.01.17 21:29:24 LOG7[main]: Listening file descriptor created (FD=460)
2018.01.17 21:29:24 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept
socket
2018.01.17 21:29:24 LOG7[main]: Service [POP3 Incoming] (FD=460) bound to
127.0.0.1:1110
2018.01.17 21:29:24 LOG7[main]: Listening file descriptor created (FD=464)
2018.01.17 21:29:24 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept
socket
2018.01.17 21:29:24 LOG7[main]: Service [POP3 Incoming] (FD=464) bound to
127.0.0.1:25
2018.01.17 21:29:24 LOG7[cron]: Cron thread initialized
2018.01.17 21:29:50 LOG7[main]: Found 1 ready file descriptor(s)
2018.01.17 21:29:50 LOG7[main]: FD=424 ifds=r-x ofds=---
2018.01.17 21:29:50 LOG7[main]: FD=460 ifds=r-x ofds=r--
2018.01.17 21:29:50 LOG7[main]: Service [POP3 Incoming] accepted (FD=488)
from 127.0.0.1:54855
2018.01.17 21:29:50 LOG7[main]: Creating a new thread
2018.01.17 21:29:50 LOG7[main]: New thread created
2018.01.17 21:29:50 LOG7[0]: Service [POP3 Incoming] started
2018.01.17 21:29:50 LOG7[0]: Option TCP_NODELAY set on local socket
2018.01.17 21:29:50 LOG5[0]: Service [POP3 Incoming] accepted connection
from 127.0.0.1:54855
2018.01.17 21:29:50 LOG6[0]: failover: round-robin, starting at entry #1
2018.01.17 21:29:50 LOG6[0]: s_connect: connecting 68.6.19.8:465
2018.01.17 21:29:50 LOG7[0]: s_connect: s_poll_wait 68.6.19.8:465: waiting
10 seconds
2018.01.17 21:29:50 LOG5[0]: s_connect: connected 68.6.19.8:465
2018.01.17 21:29:50 LOG5[0]: Service [POP3 Incoming] connected remote server
from 192.168.1.17:54856
2018.01.17 21:29:50 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.01.17 21:29:50 LOG7[0]: Remote descriptor (FD=508) initialized
2018.01.17 21:30:24 LOG6[cron]: Executing cron jobs
2018.01.17 21:30:24 LOG6[cron]: Cron jobs completed in 0 seconds
2018.01.17 21:30:24 LOG7[cron]: Waiting 86400 seconds
2018.01.17 21:31:05 LOG7[main]: Found 1 ready file descriptor(s)
2018.01.17 21:31:05 LOG7[main]: FD=424 ifds=r-x ofds=---
2018.01.17 21:31:05 LOG7[main]: FD=460 ifds=r-x ofds=---
2018.01.17 21:31:05 LOG7[main]: Service [POP3 Incoming] accepted (FD=528)
from 127.0.0.1:54891
2018.01.17 21:31:05 LOG7[main]: Creating a new thread
2018.01.17 21:31:05 LOG7[main]: New thread created
2018.01.17 21:31:05 LOG7[1]: Service [POP3 Incoming] started
2018.01.17 21:31:05 LOG7[1]: Option TCP_NODELAY set on local socket
2018.01.17 21:31:05 LOG5[1]: Service [POP3 Incoming] accepted connection
from 127.0.0.1:54891
2018.01.17 21:31:05 LOG6[1]: failover: round-robin, starting at entry #0
2018.01.17 21:31:05 LOG6[1]: s_connect: connecting 146.20.147.245:995
2018.01.17 21:31:05 LOG7[1]: s_connect: s_poll_wait 146.20.147.245:995:
waiting 10 seconds
2018.01.17 21:31:05 LOG5[1]: s_connect: connected 146.20.147.245:995
2018.01.17 21:31:05 LOG5[1]: Service [POP3 Incoming] connected remote server
from 192.168.1.17:54892
2018.01.17 21:31:05 LOG7[1]: Option TCP_NODELAY set on remote socket
2018.01.17 21:31:05 LOG7[1]: Remote descriptor (FD=336) initialized
2018.01.17 21:34:05 LOG3[1]: Unexpected socket close (s_read)
2018.01.17 21:34:05 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0
byte(s) sent to socket
2018.01.17 21:34:05 LOG7[1]: Remote descriptor (FD=336) closed
2018.01.17 21:34:05 LOG7[1]: Local descriptor (FD=528) closed
2018.01.17 21:34:05 LOG7[1]: Service [POP3 Incoming] finished (1 left)
2018.01.17 21:34:05 LOG7[1]: str_stats: 1 block(s), 32 data byte(s), 58
control byte(s)
2018.01.17 21:34:05 LOG7[1]: str_stats: 32 byte(s) at ..\src\network.c:680
2018.01.17 21:34:50 LOG6[0]: s_read: s_poll_wait: TIMEOUTbusy exceeded:
sending reset
2018.01.17 21:34:50 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0
byte(s) sent to socket
2018.01.17 21:34:50 LOG7[0]: Remote descriptor (FD=508) closed
2018.01.17 21:34:50 LOG7[0]: Local descriptor (FD=488) closed
2018.01.17 21:34:50 LOG7[0]: Service [POP3 Incoming] finished (0 left)
2018.01.17 21:34:50 LOG7[0]: str_stats: 1 block(s), 32 data byte(s), 58
control byte(s)
2018.01.17 21:34:50 LOG7[0]: str_stats: 32 byte(s) at ..\src\network.c:680
It looks like it connects, but then just sits there?!
I see these:
No certificate or private key specified
Service [POP3 Incoming] needs authentication to prevent MITM attacks
but that's during startup. Or are those significant?
I feel like I'm one setting away from having this all work.!
Thanks in advance for any suggestions.
--
...phsiii