Hi,
I have set up Stunnel as SSL Wrapper for googlemail on a Redhat Enterprise Linux 7.2 installation.
The stunnel.conf:
output = /var/log/stunnel.log
cert = /etc/pki/tls/certs/2019stunnel.pem
client = yes
sslVersion = TLSv1
;fips=no
[ssmtp]
accept = 1925
connect=smtp.googlemail.com:587
lets me start stunned well.
I have created the file 2019stunnel.pem following the Instructions on Redhat:
make 2019stunnel.pem in the correct directory (certs)
now I tried to telnet localhost 1925; I get a “connected”, but nothing more. telnet smtp.googlemail 587 runs very well, I get connected, so I assume it is not a firewall issue.
I checked the options
sslVersion = TLSv1 and
sslVersion = all alternatively, which led to different errors in stunnel.log:
Service [ssmtp] accepted connection from 127.0.0.1:49723 2019.01.04 14:45:01 LOG3[4500:140416608397056]: connect_blocking: connect 2a00:1450:400c:c0c::10:587: Network is unreachable (101) 2019.01.04 14:45:01 LOG5[4500:140416608397056]: connect_blocking: connected 74.125.140.16:587 2019.01.04 14:45:01 LOG5[4500:140416608397056]: Service [ssmtp] connected remote server from 192.168.178.57:44246 2019.01.04 14:45:01 LOG3[4500:140416608397056]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2019.01.04 14:45:01 LOG5[4500:140416608397056]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2019.01.04 14:54:24 LOG5[4500:140416608249920]: Terminated
or
Service [ssmtp] accepted connection from 192.168.178.57:57612 2019.01.04 14:54:36 LOG5[7437:139957105055488]: connect_blocking: connected 173.194.76.16:587 2019.01.04 14:54:36 LOG5[7437:139957105055488]: Service [ssmtp] connected remote server from 192.168.178.57:52192 2019.01.04 14:54:36 LOG3[7437:139957105055488]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2019.01.04 14:54:36 LOG5[7437:139957105055488]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Now Open SSL:
Openssl output:
openssl s_client -connect localhost:1925 CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 289 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1546610402 Timeout : 300 (sec) Verify return code: 0 (ok)
What do I miss here; what is running wrong ?
Mit freundlichen Grüßen/ best regards
Klaus Klöser
On Fri, Jan 04, 2019 at 03:14:27PM +0100, Klaus Kloeser wrote:
Hi,
I have set up Stunnel as SSL Wrapper for googlemail on a Redhat Enterprise Linux 7.2 installation.
The stunnel.conf:
output = /var/log/stunnel.log cert = /etc/pki/tls/certs/2019stunnel.pem client = yes sslVersion = TLSv1 ;fips=no
[ssmtp] accept = 1925 connect=smtp.googlemail.com:587
If you want stunnel to accept plaintext (unencrypted) connections and to establish an encrypted (SSL/TLS) connection to smtp.googlemail.com, you will either need to change the port from 587 (the "submission" service, a kind of simplified SMTP protocol) to 465 (SMTP over TLS), or, if you really insist on connecting to the submission service and then starting a TLS session, you will need to tell stunnel to start by speaking SMTP and issuing a STARTTLS command by also specifying "protocol = smtp". Either option (changing the connect line to specify port 465 or adding a "protocol = smtp" line) should work, I just tested them on my Debian setup.
Hope that helps!
G'luck, Peter
-
Klaus Kloeser -
Peter Pentchev