On Sat, 26 Mar 2011, Michal Trojnara wrote:
Interesting. I can't see any obvious mistake in your configuration.
With these type of problems "tcpdump", "iptables -L -v", and "dmesg" are your friends.
Best regards, Michal Trojnara
I've tried several times to get stunnel to work as a transparent smtps proxy. I just tried again using stunnel 4.36 and as you suggested used tcpdump in several places, to attempt further debugging. It always just times out: both in the stunnel log file and my mail client times out too.
There are no obvious messages indicating the problem in dmesg or any logs.
To me, my firewall rules look fine.
With tcpdump on lo, I can see the traffic getting forwarded:
15:48:23.228526 IP fw1.pensivo.com.52370 > guru.webcon.net.smtp: S 3107220597:3107220597(0) win 32792 <mss 16396,sackOK,timestamp 128780080 0,nop,wscale 5>
With tcpdump on eth0, I can see some kind of response going out:
15:48:23.228554 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) guru.webcon.net.smtp > fw1.pensivo.com.52370: S, cksum 0x70bc (incorrect (-> 0x91ef), 3106887726:3106887726(0) ack 3107220598 win 14480 <mss 1460,sackOK,timestamp 128780080 128774822,nop,wscale 5>
but it seems too small and doesn't seem like enough traffic.
The incorrect cksums seem to be a red herring. I suspect it's really just an artifact due hardware chksum offload. The packets make it back to my mail client box with valid chksums.
My mail server has net.ipv4.conf.all.rp_filter = 0. My ASSP maillog never shows a connection, refused or otherwise for the transparent proxied connection, even with the debug level very high.
Can you make any other suggestions?
Failing that, would you be willing to debug this interactively?
If you can repond off the list with a dollar amount or a referal to a contractor who would know what the tcpdump traffic should look like and could debug this install easily that would be very much appreciated. I've been periodically spinning my wheels on this for too long.
Regards, Robert Hardy