Hello,

This is my first time using stunnel so I'm still learning how it works. This may have already been asked, but I'm not sure what to search for in the archives.

We have a number of hosts in private IP space that we'd like to be able to send mail to smtp.office365.com:587. I'm trying to configure stunnel for this purpose.

What I'd like is to set up a stunnel instance on a server which will accept TLS connections on port 50025. Stunnel will then connect to smtp.office365.com:587 which also uses TLS. How can I do this?

I am able to configure stunnel to accept my connection on 587, but the connection is immediately closed (below). If I add client = yes, then I just get:

aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025
CONNECTED(00000003)
didn't found starttls in server response, try anyway...


Here is my config:

aculver stunnel # egrep -v '^;|^$' stunnel.conf
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
setuid = nobody
setgid = nogroup
pid = /usr/local/var/run/stunnel/stunnel.pid
[o365-smtp]
accept = 50025
cert = /usr/local/etc/stunnel/stunnel.pem
connect = smtp.office365.com:587
verifyChain = yes
CApath = /etc/ssl/certs
protocol = smtp


What am I doing wrong?


Here's what I get when I don't have client = yes:

aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025
CONNECTED(00000003)
depth=0 C = CA, ST = Ontario, L = London, O = The University of Western Ontario, OU = ITS, CN = aculver.ws.its.uwo.ca, emailAddress = aculver@uwo.ca
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CA, ST = Ontario, L = London, O = The University of Western Ontario, OU = ITS, CN = aculver.ws.its.uwo.ca, emailAddress = aculver@uwo.ca
verify return:1
139954991064736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1263:SSL alert number 40
139954991064736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca
   i:/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgIJAM0DgGLDIh5lMA0GCSqGSIb3DQEBCwUAMIGpMQswCQYD
VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGTG9uZG9uMSowKAYD
VQQKDCFUaGUgVW5pdmVyc2l0eSBvZiBXZXN0ZXJuIE9udGFyaW8xDDAKBgNVBAsM
A0lUUzEeMBwGA1UEAwwVYWN1bHZlci53cy5pdHMudXdvLmNhMR0wGwYJKoZIhvcN
AQkBFg5hY3VsdmVyQHV3by5jYTAeFw0xNzAxMTcxODAwNTdaFw0yMDAxMTcxODAw
NTdaMIGpMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwG
TG9uZG9uMSowKAYDVQQKDCFUaGUgVW5pdmVyc2l0eSBvZiBXZXN0ZXJuIE9udGFy
aW8xDDAKBgNVBAsMA0lUUzEeMBwGA1UEAwwVYWN1bHZlci53cy5pdHMudXdvLmNh
MR0wGwYJKoZIhvcNAQkBFg5hY3VsdmVyQHV3by5jYTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAL2A3QEU7ReMc+2dTJdxVnQx33dIomQvO6QOAaFkI9pt
XF/UhSBCg3ZD2yZeKe5GQ0+KqSCjuxTZE+BMTIeNUtaFEDr9bMAx0toknm29ve1B
wTErWoIjE4yqQ+j/D9JLp4BzBcptz1zaEdvhzzZo2zWVpqHrUHSXzoIELD4xyZyF
UgbQ057diKr1fqM7q3ozCofslFGEjWtc8SsfwgToT72g7bRhx8a6F6SSX8afcVx0
hvvC998QbTNUCpJO6GPzWWCsITc3RPMZK3OJsbI4NNBKDZ8eE2NTSkcKjnibRWFx
bwCTlSZ5XABQrgXmEO51cx6DBAK/8cV8W2H/VNr9SXkCAwEAAaNQME4wHQYDVR0O
BBYEFMPXcnQduKdorSNrFIR1up+a5V7RMB8GA1UdIwQYMBaAFMPXcnQduKdorSNr
FIR1up+a5V7RMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKqmaC+g
RD1KEWT2yJit0FRIuwzFYmh/jgQ0ofabWQIuQtyNeqVnATU5FMOmox9MgbbsBanC
SBVxuiLsWruk6VTjByHaIPAfsdWVKYMfLXO2Rku8GTp1X0B+HcNxh18tKr9s72rB
AmapnD1GrYDAlBBgwQz+Ei1iRz+rqKsPvvJ/IEzZ02uhxV0ZWxBi5gTqAQc+pi3y
I8DNBTxev2BMw+YCeNnrH3ryrJ8vKYlUmxE0k2POH1ihlpzdx9jtKC9TKR1kahMP
3lbldSHmW9DWeOfzQZ6NDHADSI698HaYfWQXUqbXjNJsxFb47pnjmyWgKseAT9iw
w9nPDtkCmUihuBM=
-----END CERTIFICATE-----
subject=/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca
issuer=/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca
---
No client certificate CA names sent
---
SSL handshake has read 1741 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 9B6FC3BBEEADF6673416272CA03FA44A2B10BADB3B843317403C03904F0E45E922EA2581F313BF5282C0A47498E43C8D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484680413
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
aculver stunnel #


Thanks,
Andrew