Hi Peter,
Everything ok, sending smtp messages.
Thanks a lot for your advice.
If you ever come to Barcelona (Spain) I owe you a beer.
Best regards.
-----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Wednesday, November 20, 2013 12:26 PM To: edu.bit.es@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] setup stunnel problem
On Wed, Nov 20, 2013 at 11:52:05AM +0100, edu.bit.es@gmail.com wrote:
Hi and thanks for your response.
Attached is the log file (stunnel.txt) and the config file (stunnelconf.txt).
Thanks a lot.
Thanks for showing us the logs and for your patience :)
OK, so here's what stunnel has to say about the actual connection: [snip]
2013.11.20 05:48:59 LOG5[14516:16268]: Service [gmail-smtp] connected remote server from 192.168.1.10:29290 2013.11.20 05:48:59 LOG7[14516:16268]: Remote socket (FD=472) initialized 2013.11.20 05:48:59 LOG7[14516:16268]: SNI: sending servername: smtp.gmail.com 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): before/connect initialization 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): SSLv2/v3 write client hello A 2013.11.20 05:48:59 LOG3[14516:16268]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2013.11.20 05:48:59 LOG5[14516:16268]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
So it says that it has connected to smtp.gmail.com on the port that you specified and that the Gmail SMTP server did not speak proper SSL to it. Now let's see if we can figure out why the Gmail SMTP server doesn't want to speak SSL to us:
[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:587
OK, so this says several things: - listen on port 25 of our local machine - accept cleartext traffic on port 25 of our local machine - once a client connects, create a new connection to port 587 of smtp.gmail.com - speak SSL to smtp.gmail.com:587 - that is, expect smtp.gmail.com to speak SSL to us if we connect to its port 587
Well, let's see if it does:
[roam@straylight ~]$ telnet smtp.gmail.com 587 Trying 74.125.136.108... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP i1sm58627991eeg.0 - gsmtp
No, it doesn't. Port 587 is usually used for the "mail submission" service which speaks plain simplified SMTP - plain as in "not encrypted" as in "not SSL". You have configured Stunnel to (as it should) speak SSL to the remote side, so you ought to tell it to either: - connect to a service that starts speaking SSL straight away, or - tell it to expect the remote service to not speak SSL straight away and tell it how to negotiate an SSL connection with it
In your first message you mentioned port 465; it is usually used for the "secure SMTP" service, which *does* start speaking SSL straight away. This is actually the first option: so what happens (show us the logfiles if it doesn't work) if you put 465 instead of 587 in your Stunnel configuration for the gmail-smtp service?
Another option would be to add another line to the gmail-smtp service: protocol = smtp This tells Stunnel that the remote is actually an SMTP (or SMTP-like) server that will understand a "STARTTLS" command and, hopefully, respond with a "2xx Ready to start a TLS conversation with you" message. This might fix the problem, too - it is option 2 from the above (negotiate an SSL connection with a non-SSL service).
I'd try using port 465 first; if it doesn't work, show us the logs again.
G'luck, Peter