So if both sides can do TLS natively,  why the need for stunnel?  Not saying you shouldn't, just asking.....

Do you control the postfix side?




------ Original Message ------
From "James Thornton" <james@jamesthornton.com>
To "Stewart Anderson" <stuson_2000@yahoo.co.uk>; stunnel-users@stunnel.org
Date 09/10/2023 04:20:16
Subject [stunnel-users] Re: stunnel smtp tls frontend server/proxy for remote backend postfix

The direction is mail sent from an external email address to stunnel (running on google cloud) for delivery to a postfix mailbox running on a local network.  

I posted this question on serverfault (https://serverfault.com/questions/1145279/stunnel-smtp-tls-frontend-server-proxy-for-remote-backend-postfix), and someone said the problem may be either stunnel strips the ip and/or the the sender is trying to switch to TLS on postfix, not realizing the TLS connection has already been made by stunnel.



On Sat, Oct 7, 2023 at 9:22 AM Stewart Anderson <stuson_2000@yahoo.co.uk> wrote:
Client and server will both negotiate SSL.  Your server mode is presenting a certificate.

It's not clear from your config /text which direction your traffic is going !!

If it's incoming from Google to your postfix server then server mode is correct.  Stunnel will negotiate the SSL and then forward to postfix in clear.  If the handshake isn't happening, have you put Google's cert in your CA certs somewhere?

What confuses it for me is the Google internal IP reference.  If you are getting traffic from Google then stunnel would need to be accepting on the host where stunnel is, so only a port is required in the accept.  This can be on a machine in your DMZ or behind a firewall, e.g. on or close to your postfix server. 

Hope that helps. 




On 6 October 2023 05:51:14 "james@jamesthornton.com" <james@jamesthornton.com> wrote:

I'm running stunnel in server mode and listening on port 587 and trying to connect to a remote postfix server running on port 25.

NB: the two servers are connected via zerortier, which may or may no be relevant to the issue.

DEBUG = 7

[ssmtp]
protocol = smtp
accept = google_cloud_internal_ip:587
connect = remote_zerotier_postfix_ip:25 
cert = /etc/stunnel/domain.pem

I thought this would set up stunnel to handle the TLS handshake and terminate the TLS connection, while proxing to the backend postfix server without requiring postfix to worry about TLS. But I'm getting LOG3[0]: STARTTLS expected when stunnel tries to connect to postfix. If I put stunnel in client mode, then it doesn't negotiate the incoming TLS (right?). 

What am I missing?
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org



--
James Thornton, http://electricspeed.com