stunnel not working properly on Redhat linux (fresh install)

Hi, I have set up Stunnel as SSL Wrapper for googlemail on a Redhat Enterprise Linux 7.2 installation. The stunnel.conf: output = /var/log/stunnel.log cert = /etc/pki/tls/certs/2019stunnel.pem client = yes sslVersion = TLSv1 ;fips=no [ssmtp] accept = 1925 connect=smtp.googlemail.com:587 lets me start stunned well. I have created the file 2019stunnel.pem following the Instructions on Redhat: make 2019stunnel.pem in the correct directory (certs) now I tried to telnet localhost 1925; I get a “connected”, but nothing more. telnet smtp.googlemail 587 runs very well, I get connected, so I assume it is not a firewall issue. I checked the options sslVersion = TLSv1 and sslVersion = all alternatively, which led to different errors in stunnel.log: Service [ssmtp] accepted connection from 127.0.0.1:49723 2019.01.04 14:45:01 LOG3[4500:140416608397056]: connect_blocking: connect 2a00:1450:400c:c0c::10:587: Network is unreachable (101) 2019.01.04 14:45:01 LOG5[4500:140416608397056]: connect_blocking: connected 74.125.140.16:587 2019.01.04 14:45:01 LOG5[4500:140416608397056]: Service [ssmtp] connected remote server from 192.168.178.57:44246 2019.01.04 14:45:01 LOG3[4500:140416608397056]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2019.01.04 14:45:01 LOG5[4500:140416608397056]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2019.01.04 14:54:24 LOG5[4500:140416608249920]: Terminated or Service [ssmtp] accepted connection from 192.168.178.57:57612 2019.01.04 14:54:36 LOG5[7437:139957105055488]: connect_blocking: connected 173.194.76.16:587 2019.01.04 14:54:36 LOG5[7437:139957105055488]: Service [ssmtp] connected remote server from 192.168.178.57:52192 2019.01.04 14:54:36 LOG3[7437:139957105055488]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2019.01.04 14:54:36 LOG5[7437:139957105055488]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket Now Open SSL: Openssl output: openssl s_client -connect localhost:1925 CONNECTED(00000003) write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 289 bytes New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1546610402 Timeout : 300 (sec) Verify return code: 0 (ok) What do I miss here; what is running wrong ? Mit freundlichen Grüßen/ best regards Klaus Klöser

On Fri, Jan 04, 2019 at 03:14:27PM +0100, Klaus Kloeser wrote:
Hi,
I have set up Stunnel as SSL Wrapper for googlemail on a Redhat Enterprise Linux 7.2 installation.
The stunnel.conf:
output = /var/log/stunnel.log cert = /etc/pki/tls/certs/2019stunnel.pem client = yes sslVersion = TLSv1 ;fips=no
[ssmtp] accept = 1925 connect=smtp.googlemail.com:587
If you want stunnel to accept plaintext (unencrypted) connections and to establish an encrypted (SSL/TLS) connection to smtp.googlemail.com, you will either need to change the port from 587 (the "submission" service, a kind of simplified SMTP protocol) to 465 (SMTP over TLS), or, if you really insist on connecting to the submission service and then starting a TLS session, you will need to tell stunnel to start by speaking SMTP and issuing a STARTTLS command by also specifying "protocol = smtp". Either option (changing the connect line to specify port 465 or adding a "protocol = smtp" line) should work, I just tested them on my Debian setup. Hope that helps! G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
participants (2)
-
Klaus Kloeser
-
Peter Pentchev