I've been fighting with stunnel, trying to get its transparent proxy support to work. No matter what I do, as soon as transparent = source support is turned on, tests with my mail client just time out.
If I turn transparent proxy support off it works but appears as if connections are from localhost, which is undesirable.
My goal is to have stunnel listen on *:465 and provide SSL protected connectivity, which appear to arrive from the remote client IP, on my mail server's external IP address on port 25. My mail server and the firewall with the rules on it are the same physical machine.
Can someone please make some suggestions as to what else I can try to get this working?
I'm running Linux 2.6.38 on a current CentOS/rhel5 box and I've got modules built for most netfilter options, including: NF_CONNTRACK=m NETFILTER_TPROXY=m NETFILTER_XT_MATCH_SOCKET=m NETFILTER_XT_TARGET_TPROXY=m
/proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/ip_forward = 1
This is my stunnel config: cert = /etc/stunnel/assps.crt key = /etc/stunnel/assps.key pid = /var/run/stunnel/stunnel_smtps.pid verify = 0 debug = 7 output = /var/log/stunnel_smtps.log TIMEOUTconnect = 60
[smtps] accept = 465 connect = MY_EXTERNAL_IP:25 transparent = source
My stunnel seems happy with the DH Parameters in my cert file.
My firewall relevant rules:
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
# stunnel -version stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 July 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH curve = sect163r2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
# stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- TCP_KEEPCNT -- -- -- 9 TCP_KEEPIDLE -- -- -- 7200 TCP_KEEPINTVL -- -- -- 75 IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0
Here is the log file with the connection timeout: 2011.03.20 15:26:43 LOG5[23214:3073877712]: Reading configuration from file /etc/stunnel/stunnel-assp_smtps.conf 2011.03.20 15:26:43 LOG7[23214:3073877712]: Snagged 64 random bytes from /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: Wrote 1024 new random bytes to /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: PRNG seeded successfully 2011.03.20 15:26:43 LOG7[23214:3073877712]: Using DH parameters from /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG6[23214:3073877712]: DH initialized with 512 bit key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate: /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: Key file: /etc/stunnel/assps.key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Private key loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: SSL context initialized for service smtps 2011.03.20 15:26:43 LOG5[23214:3073877712]: Configuration successful 2011.03.20 15:26:43 LOG5[23214:3073877712]: No limit detected for the number of clients 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=3 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=8 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=9 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=10 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: accept socket: FD=11 allocated (non-blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: Option SO_REUSEADDR set on accept socket 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps bound to 0.0.0.0:465 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps opened FD=11 2011.03.20 15:26:44 LOG7[23220:3073877712]: Created pid file /var/run/stunnel/stunnel_smtps.pid 2011.03.20 15:26:44 LOG5[23220:3073877712]: stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.03.20 15:26:44 LOG5[23220:3073877712]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.03.20 15:26:56 LOG7[23220:3073877712]: local socket: FD=0 allocated (non-blocking mode) 2011.03.20 15:26:56 LOG7[23220:3073877712]: Service smtps accepted FD=0 from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps started 2011.03.20 15:26:56 LOG7[23220:3073874832]: Option TCP_NODELAY set on local socket 2011.03.20 15:26:56 LOG7[23220:3073874832]: Waiting for a libwrap process 2011.03.20 15:26:56 LOG7[23220:3073874832]: Acquired libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Releasing libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Released libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps permitted by libwrap from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG5[23220:3073874832]: Service smtps accepted connection from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): before/accept initialization 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write server hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate request A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client key exchange A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write change cipher spec A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 items in the session cache 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects (SSL_connect()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects (SSL_accept()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 server renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 external session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache misses 2011.03.20 15:26:57 LOG7[23220:3073874832]: 0 session cache timeouts 2011.03.20 15:26:57 LOG6[23220:3073874832]: SSL accepted: new session negotiated 2011.03.20 15:26:57 LOG6[23220:3073874832]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2011.03.20 15:26:57 LOG7[23220:3073874832]: remote socket: FD=1 allocated (non-blocking mode) 2011.03.20 15:26:57 LOG6[23220:3073874832]: local_bind succeeded on the original port 2011.03.20 15:26:57 LOG6[23220:3073874832]: connect_blocking: connecting MY_EXTERNAL_IP:25 2011.03.20 15:26:57 LOG7[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: waiting 60 seconds 2011.03.20 15:27:57 LOG3[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: TIMEOUTconnect exceeded 2011.03.20 15:27:57 LOG5[23220:3073874832]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.03.20 15:27:57 LOG7[23220:3073874832]: Service smtps finished (0 left) 2011.03.20 15:29:21 LOG7[23220:3073877712]: Dispatching signals from the signal pipe 2011.03.20 15:29:21 LOG5[23220:3073877712]: Received signal 15; terminating 2011.03.20 15:29:21 LOG7[23220:3073877712]: removing pid file /var/run/stunnel/stunnel_smtps.pid
The only even slightly odd thing I see other than the timeouts is the " 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate"
I'm not sure what that is about, but it doesn't seem critical...