[stunnel-users] Receive from secure servers

21 Mar 2015


      Hello,
A company which we work with wants to send secure (TLS) mails to our
server. I think stunnel can do the trick for me, as our own server
(Scalix) doesn't support TLS for itself. Now I set up stunnel and it
looks like its working, except it's not receiving secured mails. I can
still receive normal mails, so somehow it is not working.
I used the sample config and filled in the things I thought I needed.
My config:
; Sample stunnel configuration file for Unix by Michal Trojnara
2002-2015
; Some options used here may be inadequate for your particular
configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available
options
;
**************************************************************************
; * Global options
*
;
**************************************************************************
; A copy of some devices and system files is needed within the chroot
jail
; Chroot conflicts with configuration file reload and many other
features
; Remember also to update the logrotate configuration.
;chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
;setuid = nobody
;setgid = nogroup
; PID file is created inside the chroot jail (if enabled)
;pid = /usr/local/var/run/stunnel.pid
; Debugging stuff (may be useful for troubleshooting)
debug = 7
output = stunnel.log
;
**************************************************************************
; * Service defaults may also be specified in individual service
sections  *
;
**************************************************************************
client = no
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
;sslVersion = all
; Enable support for the insecure SSLv2 protocol
;options = NO_SSLv2
; Enable support for the insecure SSLv3 protocol
;options = NO_SSLv3
; Workaround for Eudora bug
; options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance
degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
;
**************************************************************************
; * Service definitions (remove all services for inetd mode)
*
;
**************************************************************************
; Example SSL server mode services
;[pop3s]
;accept  = 995
;connect = 110
;[imaps]
;accept  = 993
;connect = 143
[ssmtp]
accept  = 192.168.1.102:25
connect = 192.168.1.102:26
protocol = smtp
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
;[https]
;accept  = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
This is what I see in the logfiles for the mails I don't receive:
2015.03.21 14:56:46 LOG7[main]: Service [ssmtp] accepted (FD=12) from
207.46.163.207:8478
2015.03.21 14:56:46 LOG7[2]:  <- EHLO
na01-by2-obe.outbound.protection.outlook.com
2015.03.21 14:56:46 LOG7[2]:  -> 250-mailserver.mydomain.nl
2015.03.21 14:56:46 LOG7[2]:  -> 250 STARTTLS
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 read client key
exchange A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 read finished A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 write change
cipher spec A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 write finished A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 flush data
2015.03.21 14:56:46 LOG7[1]:    1 items in the session cache
2015.03.21 14:56:46 LOG7[1]:    0 client connects (SSL_connect())
2015.03.21 14:56:46 LOG7[1]:    0 client connects that finished  
2015.03.21 14:56:46 LOG7[1]:    0 client renegotiations requested
2015.03.21 14:56:46 LOG7[1]:    1 server connects (SSL_accept()) 
2015.03.21 14:56:46 LOG7[1]:    1 server connects that finished  
2015.03.21 14:56:46 LOG7[1]:    0 server renegotiations requested
2015.03.21 14:56:46 LOG7[1]:    0 session cache hits
2015.03.21 14:56:46 LOG7[1]:    0 external session cache hits
2015.03.21 14:56:46 LOG7[1]:    0 session cache misses
2015.03.21 14:56:46 LOG7[1]:    0 session cache timeouts
2015.03.21 14:56:46 LOG6[1]: No peer certificate received
2015.03.21 14:56:46 LOG6[1]: SSL accepted: new session negotiated
2015.03.21 14:56:46 LOG6[1]: Negotiated TLSv1 ciphersuite AES256-SHA
(256-bit encryption)
2015.03.21 14:56:46 LOG7[1]: Compression: null, expansion: null
2015.03.21 14:56:46 LOG7[3]: Service [ssmtp] started
2015.03.21 14:56:46 LOG5[3]: Service [ssmtp] accepted connection from
207.46.163.207:8478
2015.03.21 14:56:46 LOG6[3]: s_connect: connecting 192.168.1.102:26
2015.03.21 14:56:46 LOG7[3]: s_connect: s_poll_wait 192.168.1.102:26:
waiting 10 seconds
2015.03.21 14:56:46 LOG5[3]: s_connect: connected 192.168.1.102:26
2015.03.21 14:56:46 LOG5[3]: Service [ssmtp] connected remote server
from 192.168.1.102:22148
2015.03.21 14:56:46 LOG7[3]: Remote socket (FD=13) initialized
2015.03.21 14:56:46 LOG6[1]: Read socket closed (readsocket)  
2015.03.21 14:56:46 LOG7[1]: Sending close_notify alert
2015.03.21 14:56:46 LOG7[1]: SSL alert (write): warning: close notify
2015.03.21 14:56:46 LOG6[1]: SSL_shutdown successfully sent close_notify
alert
2015.03.21 14:56:46 LOG7[2]:  <- STARTTLS
2015.03.21 14:56:46 LOG7[2]:  -> 220 Go ahead
2015.03.21 14:56:46 LOG7[2]: SSL state (accept): before/accept
initialization
2015.03.21 14:56:46 LOG7[3]: RFC 2487 detected
2015.03.21 14:56:46 LOG7[3]:  <- 220 mailserver.rsconsultancy.nl ESMTP
Scalix SMTP Relay 11.4.6.13676; Sat, 21 Mar 2015 14:56:46 +0100 (CET)
2015.03.21 14:56:46 LOG7[3]:  -> 220 mailserver.rsconsultancy.nl stunnel
for ESMTP Scalix SMTP Relay 11.4.6.13676; Sat, 21 Mar 2015 14:56:46
2015.03.21 14:56:46 LOG6[1]: SSL socket closed (SSL_read)
2015.03.21 14:56:46 LOG7[1]: Sent socket write shutdown  
2015.03.21 14:56:46 LOG5[1]: Connection closed: 52 byte(s) sent to SSL,
6 byte(s) sent to socket
2015.03.21 14:56:46 LOG7[1]: Remote socket (FD=9) closed
2015.03.21 14:56:46 LOG7[1]: Local socket (FD=3) closed 
2015.03.21 14:56:46 LOG7[1]: Service [ssmtp] finished (2 left)
Could anyone please tell me what I'm doing wrong?
Jeroen

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[stunnel-users] Receive from secure servers