Cox has been warning us that as of next week, we need to use encrypted POP and SMTP. I have two reasons to use stunnel now:
1) I use the K9 Bayesian email proxy for spam filtering, and it doesn’t do TLS
2) My wife still uses Eudora and doesn’t want to switch, and while Eudora allegedly supports TLS, it’s not trivial to make it work (and Cox certainly won’t help)
Thus stunnel looks like an ideal solution. But after tinkering for a few hours on two machines, I’m stumped.
While I can type an SMTP or POP transaction in my sleep, I’m not so good at typing a TLS handshake, so I’m using Outlook 2013 as my test platform (and that’s what I’ll be using myself later anyway). I setup a new account, point to the right ports on 127.0.0.1, and the test times out, with:
Log onto incoming mail server (POP3): The operation timed out waiting for a response from the receiving (POP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).
Send test e-mail message: The operation timed out waiting for a response from the sending (SMTP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).
Here’s my stunnel.conf, with blank lines and comments removed:
client = yes
output = C:\temp\stunnel-log.txt
taskbar = yes
debug = 7
[POP3 Incoming]
protocol = pop3
accept = 127.0.0.1:1110
connect = pop.cox.net:995
protocol = smtp
accept = 127.0.0.1:25
connect = smtp.cox.net:465
Yes, that’s port 1110, since K9 is using 110. Shouldn’t matter, right? (As long as I point the client at 1110, obviously!)
Yes, I have protocol = pop3 and protocol = smtp; I’ve tried commenting them out individually, no change that I can see.
Yes, I’m running stunnel explicitly, not as a service—I found threads suggesting that it just doesn’t work as a service on Windows 7 for some reason (and in fact beat my head against that wall for a while first).
And here’s the stunnel log:
2018.01.17 21:29:24 LOG7[main]: Running on Windows 6.1
2018.01.17 21:29:24 LOG7[main]: No limit detected for the number of clients
2018.01.17 21:29:24 LOG5[main]: stunnel 5.44 on x86-pc-msvc-1500 platform
2018.01.17 21:29:24 LOG5[main]: Compiled/running with OpenSSL 1.0.2m-fips 2 Nov 2017
2018.01.17 21:29:24 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2018.01.17 21:29:24 LOG7[main]: errno: (*_errno())
2018.01.17 21:29:24 LOG7[ui]: GUI message loop initialized
2018.01.17 21:29:24 LOG7[main]: Running on Windows 6.1
2018.01.17 21:29:24 LOG5[main]: Reading configuration from file stunnel.conf
2018.01.17 21:29:24 LOG5[main]: UTF-8 byte order mark not detected
2018.01.17 21:29:24 LOG5[main]: FIPS mode disabled
2018.01.17 21:29:24 LOG7[main]: Compression disabled
2018.01.17 21:29:24 LOG7[main]: Snagged 64 random bytes from C:/.rnd
2018.01.17 21:29:24 LOG7[main]: Wrote 0 new random bytes to C:/.rnd
2018.01.17 21:29:24 LOG7[main]: PRNG seeded successfully
2018.01.17 21:29:24 LOG6[main]: Initializing service [POP3 Incoming]
2018.01.17 21:29:24 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
2018.01.17 21:29:24 LOG7[main]: TLS options: 0x03000004 (+0x03000000, -0x00000000)
2018.01.17 21:29:24 LOG7[main]: No certificate or private key specified
2018.01.17 21:29:24 LOG4[main]: Service [POP3 Incoming] needs authentication to prevent MITM attacks
2018.01.17 21:29:24 LOG5[main]: Configuration successful
2018.01.17 21:29:24 LOG7[main]: Binding service [POP3 Incoming]
2018.01.17 21:29:24 LOG7[main]: Listening file descriptor created (FD=460)
2018.01.17 21:29:24 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2018.01.17 21:29:24 LOG7[main]: Service [POP3 Incoming] (FD=460) bound to 127.0.0.1:1110
2018.01.17 21:29:24 LOG7[main]: Listening file descriptor created (FD=464)
2018.01.17 21:29:24 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket
2018.01.17 21:29:24 LOG7[main]: Service [POP3 Incoming] (FD=464) bound to 127.0.0.1:25
2018.01.17 21:29:24 LOG7[cron]: Cron thread initialized
2018.01.17 21:29:50 LOG7[main]: Found 1 ready file descriptor(s)
2018.01.17 21:29:50 LOG7[main]: FD=424 ifds=r-x ofds=---
2018.01.17 21:29:50 LOG7[main]: FD=460 ifds=r-x ofds=r--
2018.01.17 21:29:50 LOG7[main]: Service [POP3 Incoming] accepted (FD=488) from 127.0.0.1:54855
2018.01.17 21:29:50 LOG7[main]: Creating a new thread
2018.01.17 21:29:50 LOG7[main]: New thread created
2018.01.17 21:29:50 LOG7[0]: Service [POP3 Incoming] started
2018.01.17 21:29:50 LOG7[0]: Option TCP_NODELAY set on local socket
2018.01.17 21:29:50 LOG5[0]: Service [POP3 Incoming] accepted connection from 127.0.0.1:54855
2018.01.17 21:29:50 LOG6[0]: failover: round-robin, starting at entry #1
2018.01.17 21:29:50 LOG6[0]: s_connect: connecting 68.6.19.8:465
2018.01.17 21:29:50 LOG7[0]: s_connect: s_poll_wait 68.6.19.8:465: waiting 10 seconds
2018.01.17 21:29:50 LOG5[0]: s_connect: connected 68.6.19.8:465
2018.01.17 21:29:50 LOG5[0]: Service [POP3 Incoming] connected remote server from 192.168.1.17:54856
2018.01.17 21:29:50 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.01.17 21:29:50 LOG7[0]: Remote descriptor (FD=508) initialized
2018.01.17 21:30:24 LOG6[cron]: Executing cron jobs
2018.01.17 21:30:24 LOG6[cron]: Cron jobs completed in 0 seconds
2018.01.17 21:30:24 LOG7[cron]: Waiting 86400 seconds
2018.01.17 21:31:05 LOG7[main]: Found 1 ready file descriptor(s)
2018.01.17 21:31:05 LOG7[main]: FD=424 ifds=r-x ofds=---
2018.01.17 21:31:05 LOG7[main]: FD=460 ifds=r-x ofds=---
2018.01.17 21:31:05 LOG7[main]: Service [POP3 Incoming] accepted (FD=528) from 127.0.0.1:54891
2018.01.17 21:31:05 LOG7[main]: Creating a new thread
2018.01.17 21:31:05 LOG7[main]: New thread created
2018.01.17 21:31:05 LOG7[1]: Service [POP3 Incoming] started
2018.01.17 21:31:05 LOG7[1]: Option TCP_NODELAY set on local socket
2018.01.17 21:31:05 LOG5[1]: Service [POP3 Incoming] accepted connection from 127.0.0.1:54891
2018.01.17 21:31:05 LOG6[1]: failover: round-robin, starting at entry #0
2018.01.17 21:31:05 LOG6[1]: s_connect: connecting 146.20.147.245:995
2018.01.17 21:31:05 LOG7[1]: s_connect: s_poll_wait 146.20.147.245:995: waiting 10 seconds
2018.01.17 21:31:05 LOG5[1]: s_connect: connected 146.20.147.245:995
2018.01.17 21:31:05 LOG5[1]: Service [POP3 Incoming] connected remote server from 192.168.1.17:54892
2018.01.17 21:31:05 LOG7[1]: Option TCP_NODELAY set on remote socket
2018.01.17 21:31:05 LOG7[1]: Remote descriptor (FD=336) initialized
2018.01.17 21:34:05 LOG3[1]: Unexpected socket close (s_read)
2018.01.17 21:34:05 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.01.17 21:34:05 LOG7[1]: Remote descriptor (FD=336) closed
2018.01.17 21:34:05 LOG7[1]: Local descriptor (FD=528) closed
2018.01.17 21:34:05 LOG7[1]: Service [POP3 Incoming] finished (1 left)
2018.01.17 21:34:05 LOG7[1]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
2018.01.17 21:34:05 LOG7[1]: str_stats: 32 byte(s) at ..\src\network.c:680
2018.01.17 21:34:50 LOG6[0]: s_read: s_poll_wait: TIMEOUTbusy exceeded: sending reset
2018.01.17 21:34:50 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2018.01.17 21:34:50 LOG7[0]: Remote descriptor (FD=508) closed
2018.01.17 21:34:50 LOG7[0]: Local descriptor (FD=488) closed
2018.01.17 21:34:50 LOG7[0]: Service [POP3 Incoming] finished (0 left)
2018.01.17 21:34:50 LOG7[0]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
2018.01.17 21:34:50 LOG7[0]: str_stats: 32 byte(s) at ..\src\network.c:680
It looks like it connects, but then just sits there?!
I see these:
No certificate or private key specified
Service [POP3 Incoming] needs authentication to prevent MITM attacks
but that’s during startup. Or are those significant?
I feel like I’m one setting away from having this all work…!
Thanks in advance for any suggestions.
--
...phsiii