Hello,
I have a strange problem with my stunnel since a view days:
I installed stunnel, because my AV-Scanner (Avira) is not able to scan e-mail traffic of encrypted connections to my mailprovider. So I configured both mail-clients (Thunderbird & Outlook) and AV-Scanner to listen on localhost and stunnel to connect to my mailprovider. This was working fine for a view days, but stoped some days ago and I'm not shure why. Maybe when I installed stunnel as a daemon I run into trouble (will bw another subject). The encrypted connection to my mailprovider is working and e-mails are recived and sent, but the AV-scanner doesn't "see" them anymore. I examined the log and what makes me wonder is, that the when fetching the e-mails, the configured ports (110/143/25) seem to be ignored:
"Service [df-pop3s] accepted connection from 127.0.0.1:1878" or "Service [df-pop3s] accepted (FD=472) from 127.0.0.1:1882"
The mails on my host are always bypassed on another port (the longer I run stunnel they change/increase) - see the log file.
I have installed latest stunnel version (5.31) on Windows 7 (x86).
Any ideas?
Kind regards, Ivan
Main-config:
[df-pop3s] client = yes accept = 127.0.0.1:110 connect = sslin.df.eu:995 verify = 3 CAfile = peer-df-pop3s.pem checkHost = sslin.df.eu OCSPaia = yes
[df-imaps] client = yes accept = 127.0.0.1:143 connect = sslin.df.eu:993 verify = 3 CAfile = peer-df-imaps.pem checkHost = sslin.df.eu OCSPaia = yes
[df-smtps] client = yes accept = 127.0.0.1:25 connect = sslout.df.eu:465 verify = 3 CAfile = peer-df-smtps.pem checkHost = sslout.df.eu OCSPaia = yes
Log:
2016.03.30 09:22:21 LOG7[main]: No limit detected for the number of clients 2016.03.30 09:22:21 LOG7[cron]: Cron thread initialized 2016.03.30 09:22:21 LOG5[main]: stunnel 5.31 on x86-pc-msvc-1500 platform 2016.03.30 09:22:21 LOG5[main]: Compiled/running with OpenSSL 1.0.2g-fips 1 Mar 2016 2016.03.30 09:22:21 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2016.03.30 09:22:21 LOG7[main]: errno: (*_errno()) 2016.03.30 09:22:21 LOG7[ui]: GUI message loop initialized 2016.03.30 09:22:21 LOG5[main]: Reading configuration from file stunnel.conf 2016.03.30 09:22:21 LOG5[main]: UTF-8 byte order mark detected 2016.03.30 09:22:21 LOG5[main]: FIPS mode enabled 2016.03.30 09:22:21 LOG7[main]: Compression disabled 2016.03.30 09:22:21 LOG7[main]: Snagged 64 random bytes from C:/.rnd 2016.03.30 09:22:21 LOG7[main]: Wrote 0 new random bytes to C:/.rnd 2016.03.30 09:22:21 LOG7[main]: PRNG seeded successfully 2016.03.30 09:22:21 LOG6[main]: Initializing service [df-pop3s] 2016.03.30 09:22:23 LOG7[main]: No certificate or private key specified 2016.03.30 09:22:23 LOG7[main]: SSL options: 0x03000004 (+0x03000000l, -0x00000000) 2016.03.30 09:22:23 LOG6[main]: Initializing service [df-imaps] 2016.03.30 09:22:23 LOG7[main]: No certificate or private key specified 2016.03.30 09:22:23 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2016.03.30 09:22:23 LOG6[main]: Initializing service [df-smtps] 2016.03.30 09:22:23 LOG7[main]: No certificate or private key specified 2016.03.30 09:22:23 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2016.03.30 09:22:23 LOG5[main]: Configuration successful 2016.03.30 09:22:23 LOG7[main]: Listening file descriptor created (FD=428) 2016.03.30 09:22:23 LOG7[main]: Service [df-pop3s] (FD=428) bound to 127.0.0.1:110 2016.03.30 09:22:23 LOG7[main]: Listening file descriptor created (FD=432) 2016.03.30 09:22:23 LOG7[main]: Service [df-imaps] (FD=432) bound to 127.0.0.1:143 2016.03.30 09:22:23 LOG7[main]: Listening file descriptor created (FD=436) 2016.03.30 09:22:23 LOG7[main]: Service [df-smtps] (FD=436) bound to 127.0.0.1:25 2016.03.30 09:22:42 LOG7[main]: Found 1 ready file descriptor(s) 2016.03.30 09:22:42 LOG7[main]: FD=352 ifds=r-x ofds=--- 2016.03.30 09:22:42 LOG7[main]: FD=428 ifds=r-x ofds=r-- 2016.03.30 09:22:42 LOG7[main]: FD=432 ifds=r-x ofds=--- 2016.03.30 09:22:42 LOG7[main]: Service [df-pop3s] accepted (FD=460) from 127.0.0.1:1878 2016.03.30 09:22:42 LOG7[main]: Creating a new thread 2016.03.30 09:22:42 LOG7[main]: New thread created 2016.03.30 09:22:42 LOG7[0]: Service [df-pop3s] started 2016.03.30 09:22:42 LOG5[0]: Service [df-pop3s] accepted connection from 127.0.0.1:1878 2016.03.30 09:22:42 LOG6[0]: s_connect: connecting 134.119.18.26:995 2016.03.30 09:22:42 LOG7[0]: s_connect: s_poll_wait 134.119.18.26:995: waiting 10 seconds 2016.03.30 09:22:42 LOG5[0]: s_connect: connected 134.119.18.26:995 2016.03.30 09:22:42 LOG5[0]: Service [df-pop3s] connected remote server from 192.168.1.2:1879 2016.03.30 09:22:42 LOG7[0]: Remote descriptor (FD=484) initialized 2016.03.30 09:22:42 LOG6[0]: SNI: sending servername: sslin.df.eu 2016.03.30 09:22:42 LOG7[0]: SSL state (connect): before/connect initialization 2016.03.30 09:22:42 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A 2016.03.30 09:22:42 LOG7[0]: SSL state (connect): SSLv3 read server hello A 2016.03.30 09:22:42 LOG7[0]: Verification started at depth=2: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA 2016.03.30 09:22:42 LOG7[0]: CERT: Pre-verification succeeded 2016.03.30 09:22:42 LOG7[0]: OCSP: Ignoring root certificate 2016.03.30 09:22:42 LOG6[0]: Certificate accepted at depth=2: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA 2016.03.30 09:22:42 LOG7[0]: Verification started at depth=1: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 2016.03.30 09:22:42 LOG7[0]: CERT: Pre-verification succeeded 2016.03.30 09:22:42 LOG5[0]: OCSP: Connecting the AIA responder "http://ocsp.globalsign.com/rootr1" 2016.03.30 09:22:46 LOG6[0]: s_connect: connecting 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: s_connect: s_poll_wait 104.16.25.216:80: waiting 10 seconds 2016.03.30 09:22:46 LOG5[0]: s_connect: connected 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Connected ocsp.globalsign.com:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Response received 2016.03.30 09:22:46 LOG6[0]: OCSP: Status: good 2016.03.30 09:22:46 LOG6[0]: OCSP: This update: Mar 30 05:42:27 2016 GMT 2016.03.30 09:22:46 LOG6[0]: OCSP: Next update: Apr 3 05:42:27 2016 GMT 2016.03.30 09:22:46 LOG5[0]: OCSP: Certificate accepted 2016.03.30 09:22:46 LOG6[0]: Certificate accepted at depth=1: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 2016.03.30 09:22:46 LOG7[0]: Verification started at depth=0: C=DE, OU=Domain Control Validated, CN=sslin.df.eu 2016.03.30 09:22:46 LOG7[0]: CERT: Pre-verification succeeded 2016.03.30 09:22:46 LOG6[0]: CERT: Host name "sslin.df.eu" matched with "sslin.df.eu" 2016.03.30 09:22:46 LOG6[0]: CERT: Locally installed certificate matched 2016.03.30 09:22:46 LOG5[0]: OCSP: Connecting the AIA responder "http://ocsp2.globalsign.com/gsalphasha2g2" 2016.03.30 09:22:46 LOG6[0]: s_connect: connecting 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: s_connect: s_poll_wait 104.16.25.216:80: waiting 10 seconds 2016.03.30 09:22:46 LOG5[0]: s_connect: connected 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Connected ocsp2.globalsign.com:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Response received 2016.03.30 09:22:46 LOG6[0]: OCSP: Status: good 2016.03.30 09:22:46 LOG6[0]: OCSP: This update: Mar 27 21:09:59 2016 GMT 2016.03.30 09:22:46 LOG6[0]: OCSP: Next update: Mar 31 21:09:59 2016 GMT 2016.03.30 09:22:46 LOG5[0]: OCSP: Certificate accepted 2016.03.30 09:22:46 LOG5[0]: Certificate accepted at depth=0: C=DE, OU=Domain Control Validated, CN=sslin.df.eu 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server certificate A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server key exchange A 2016.03.30 09:22:46 LOG6[0]: Client certificate not requested 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server done A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 write client key exchange A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 write change cipher spec A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 write finished A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 flush data 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server session ticket A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read finished A 2016.03.30 09:22:46 LOG7[0]: 1 client connect(s) requested 2016.03.30 09:22:46 LOG7[0]: 1 client connect(s) succeeded 2016.03.30 09:22:46 LOG7[0]: 0 client renegotiation(s) requested 2016.03.30 09:22:46 LOG7[0]: 0 session reuse(s) 2016.03.30 09:22:46 LOG6[0]: SSL connected: new session negotiated 2016.03.30 09:22:46 LOG7[0]: Peer certificate was cached (4539 bytes) 2016.03.30 09:22:46 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2016.03.30 09:22:46 LOG7[0]: Compression: null, expansion: null 2016.03.30 09:23:01 LOG7[0]: SSL alert (read): warning: close notify 2016.03.30 09:23:01 LOG6[0]: SSL closed (SSL_read) 2016.03.30 09:23:01 LOG7[0]: Sent socket write shutdown 2016.03.30 09:23:01 LOG6[0]: Read socket closed (readsocket) 2016.03.30 09:23:01 LOG7[0]: Sending close_notify alert 2016.03.30 09:23:01 LOG7[0]: SSL alert (write): warning: close notify 2016.03.30 09:23:01 LOG6[0]: SSL_shutdown successfully sent close_notify alert 2016.03.30 09:23:01 LOG5[0]: Connection closed: 304 byte(s) sent to SSL, 545297 byte(s) sent to socket 2016.03.30 09:23:01 LOG7[0]: Remote descriptor (FD=484) closed 2016.03.30 09:23:01 LOG7[0]: Local descriptor (FD=460) closed 2016.03.30 09:23:01 LOG7[0]: Service [df-pop3s] finished (0 left) 2016.03.30 09:23:02 LOG7[main]: Found 1 ready file descriptor(s) 2016.03.30 09:23:02 LOG7[main]: FD=352 ifds=r-x ofds=--- 2016.03.30 09:23:02 LOG7[main]: FD=428 ifds=r-x ofds=r-- 2016.03.30 09:23:02 LOG7[main]: FD=432 ifds=r-x ofds=--- 2016.03.30 09:23:02 LOG7[main]: Service [df-pop3s] accepted (FD=472) from 127.0.0.1:1882 2016.03.30 09:23:02 LOG7[main]: Creating a new thread 2016.03.30 09:23:02 LOG7[main]: New thread created 2016.03.30 09:23:02 LOG7[1]: Service [df-pop3s] started 2016.03.30 09:23:02 LOG5[1]: Service [df-pop3s] accepted connection from 127.0.0.1:1882 2016.03.30 09:23:02 LOG6[1]: s_connect: connecting 134.119.18.26:995 2016.03.30 09:23:02 LOG7[1]: s_connect: s_poll_wait 134.119.18.26:995: waiting 10 seconds 2016.03.30 09:23:02 LOG5[1]: s_connect: connected 134.119.18.26:995 2016.03.30 09:23:02 LOG5[1]: Service [df-pop3s] connected remote server from 192.168.1.2:1883 2016.03.30 09:23:02 LOG7[1]: Remote descriptor (FD=468) initialized 2016.03.30 09:23:02 LOG6[1]: SNI: sending servername: sslin.df.eu 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): before/connect initialization 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 write client hello A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 read server hello A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 read finished A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 write change cipher spec A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 write finished A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 flush data 2016.03.30 09:23:02 LOG7[1]: 2 client connect(s) requested 2016.03.30 09:23:02 LOG7[1]: 2 client connect(s) succeeded 2016.03.30 09:23:02 LOG7[1]: 0 client renegotiation(s) requested 2016.03.30 09:23:02 LOG7[1]: 1 session reuse(s) 2016.03.30 09:23:02 LOG6[1]: SSL connected: previous session reused 2016.03.30 09:23:08 LOG7[1]: SSL alert (read): warning: close notify 2016.03.30 09:23:08 LOG6[1]: SSL closed (SSL_read) 2016.03.30 09:23:08 LOG7[1]: Sent socket write shutdown 2016.03.30 09:23:08 LOG6[1]: Read socket closed (readsocket) 2016.03.30 09:23:08 LOG7[1]: Sending close_notify alert 2016.03.30 09:23:08 LOG7[1]: SSL alert (write): warning: close notify 2016.03.30 09:23:08 LOG6[1]: SSL_shutdown successfully sent close_notify alert 2016.03.30 09:23:08 LOG5[1]: Connection closed: 149 byte(s) sent to SSL, 336471 byte(s) sent to socket 2016.03.30 09:23:08 LOG7[1]: Remote descriptor (FD=468) closed 2016.03.30 09:23:08 LOG7[1]: Local descriptor (FD=472) closed 2016.03.30 09:23:08 LOG7[1]: Service [df-pop3s] finished (0 left) 2016.03.30 09:23:21 LOG6[cron]: Executing cron jobs 2016.03.30 09:23:21 LOG6[cron]: Cron jobs completed in 0 seconds 2016.03.30 09:23:21 LOG7[cron]: Waiting 86400 seconds
On Wed, 2016-03-30 09:58:59 +0200, Ivan De Masi wrote:
[..]
I examined the log and what makes me wonder is, that the when fetching the e-mails, the configured ports (110/143/25) seem to be ignored:
"Service [df-pop3s] accepted connection from 127.0.0.1:1878" or "Service [df-pop3s] accepted (FD=472) from 127.0.0.1:1882"
Ivan,
This is as expected.
Your mail client opens a socket which gets (presumably implicitly) bound to an arbitrary TCP port (1878 and 1882 in the examples above). It then connects to port 110, the one stunnel bound the listening socket to.
Each IP connection has two ends and thus two pairs of IP address and port number. In your case, both, client and server use 127.0.0.1 as IP address, which may be the source of the confusion.
HTH,
Ludolf
-----Ursprüngliche Nachricht----- Von: Ludolf Holzheid [mailto:lholzheid@bihl-wiedemann.de] Gesendet: Mittwoch, 30. März 2016 10:50 An: stunnel-users@stunnel.org Cc: Ivan De Masi Betreff: Re: [stunnel-users] Incoming port ignored
On Wed, 2016-03-30 09:58:59 +0200, Ivan De Masi wrote:
[..]
I examined the log and what makes me wonder is, that the
when fetching the
e-mails, the configured ports (110/143/25) seem to be ignored:
"Service [df-pop3s] accepted connection from
127.0.0.1:1878" or "Service
[df-pop3s] accepted (FD=472) from 127.0.0.1:1882"
Ivan,
This is as expected.
Your mail client opens a socket which gets (presumably implicitly) bound to an arbitrary TCP port (1878 and 1882 in the examples above). It then connects to port 110, the one stunnel bound the listening socket to.
Each IP connection has two ends and thus two pairs of IP address and port number. In your case, both, client and server use 127.0.0.1 as IP address, which may be the source of the confusion.
Hello Ludof,
so, what would you recommend me?
I tried also another way, setting stunnel-config like this (without 127.0.0.1):
... accept = 110 ... accept = 143 ... accept = 25
for each service. The problem remains:
... 2016.03.30 11:51:47 LOG7[main]: Service [df-pop3s] accepted (FD=468) from 127.0.0.1:4937 2016.03.30 11:51:47 LOG7[main]: Creating a new thread 2016.03.30 11:51:47 LOG7[main]: New thread created 2016.03.30 11:51:47 LOG7[0]: Service [df-pop3s] started 2016.03.30 11:51:47 LOG5[0]: Service [df-pop3s] accepted connection from 127.0.0.1:4937 ...
I *have* to configure my mail-client to use/listen on 127.0.0.1 to get in touch with stunnel. Or is there another way?
I configured my system that way, because someone posted a "workaround" how to solve the mess with of Aviras "blindness" when trying to scan e-mails within a ssl-connection to the mailprovider. And it was working perfectly that way!!! So I don't understand, why it is not working anymore now and it conflicts now on localhost.
Kind regards, Ivan
On Wed, 2016-03-30 12:00:16 +0200, Ivan De Masi wrote:
[..]
so, what would you recommend me?
Hi Ivan,
Check your virus scanner.
[..]
I *have* to configure my mail-client to use/listen on 127.0.0.1 to get in touch with stunnel. Or is there another way?
It's perfectly o.k. to have stunnel listening on 127.0.0.1:110 and the mail client connecting from 127.0.0.1 using an arbitrary port.
Again, each IP connection has two ends, each of which is characterized by IP address and port number. I your example, this is
(mail client) 127.0.0.1:1878 ---> 127.0.0.1:110 (stunnel)
This is how IP is designed to work.
So I don't understand, why it is not working anymore now and it conflicts now on localhost.
It does not conflict. Stunnel works as expected, but your virus scanner doesn't work. Maybe it stopped intercepting traffic on localhost (but that's a wild guess).
HTH,
Ludolf
-----Ursprüngliche Nachricht----- Von: Ludolf Holzheid [mailto:lholzheid@bihl-wiedemann.de] Gesendet: Mittwoch, 30. März 2016 12:36 An: stunnel-users@stunnel.org Cc: Ivan De Masi Betreff: Re: [stunnel-users] Incoming port ignored
On Wed, 2016-03-30 12:00:16 +0200, Ivan De Masi wrote:
[..]
so, what would you recommend me?
Hi Ivan,
Hi Ludolf,
Check your virus scanner.
OK, I already did this. I configured my mail-client to connect to my mailprovider *without encryption* for testing and Avira checked the e-mails. So it is working. From the moment I switch back to 127.0.0.1 in my e-mail client config Avira turns "blind" again :-/ So I will have to do some more debugging :-(
Thanks!
Regards, Ivan
Ivan,
When you say you configure your AV-scanner to listen on localhost, how do you do it? Which ports does AV-scanner listen to? You can't have both stunnel and Avira listening on the same ports on the same interface.
Check your traffic flow. It should be something like:
Client -> Avira -> stunnel -> provider.
Only the connection stunnel-provider will be encrypted.
El 30 mar 2016, a las 2:58, Ivan De Masi de_masi@blu-it.de escribió:
Hello,
I have a strange problem with my stunnel since a view days:
I installed stunnel, because my AV-Scanner (Avira) is not able to scan e-mail traffic of encrypted connections to my mailprovider. So I configured both mail-clients (Thunderbird & Outlook) and AV-Scanner to listen on localhost and stunnel to connect to my mailprovider. This was working fine for a view days, but stoped some days ago and I'm not shure why. Maybe when I installed stunnel as a daemon I run into trouble (will bw another subject). The encrypted connection to my mailprovider is working and e-mails are recived and sent, but the AV-scanner doesn't "see" them anymore. I examined the log and what makes me wonder is, that the when fetching the e-mails, the configured ports (110/143/25) seem to be ignored:
"Service [df-pop3s] accepted connection from 127.0.0.1:1878" or "Service [df-pop3s] accepted (FD=472) from 127.0.0.1:1882"
The mails on my host are always bypassed on another port (the longer I run stunnel they change/increase) - see the log file.
I have installed latest stunnel version (5.31) on Windows 7 (x86).
Any ideas?
Kind regards, Ivan
Main-config:
[df-pop3s] client = yes accept = 127.0.0.1:110 connect = sslin.df.eu:995 verify = 3 CAfile = peer-df-pop3s.pem checkHost = sslin.df.eu OCSPaia = yes
[df-imaps] client = yes accept = 127.0.0.1:143 connect = sslin.df.eu:993 verify = 3 CAfile = peer-df-imaps.pem checkHost = sslin.df.eu OCSPaia = yes
[df-smtps] client = yes accept = 127.0.0.1:25 connect = sslout.df.eu:465 verify = 3 CAfile = peer-df-smtps.pem checkHost = sslout.df.eu OCSPaia = yes
Log:
2016.03.30 09:22:21 LOG7[main]: No limit detected for the number of clients 2016.03.30 09:22:21 LOG7[cron]: Cron thread initialized 2016.03.30 09:22:21 LOG5[main]: stunnel 5.31 on x86-pc-msvc-1500 platform 2016.03.30 09:22:21 LOG5[main]: Compiled/running with OpenSSL 1.0.2g-fips 1 Mar 2016 2016.03.30 09:22:21 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2016.03.30 09:22:21 LOG7[main]: errno: (*_errno()) 2016.03.30 09:22:21 LOG7[ui]: GUI message loop initialized 2016.03.30 09:22:21 LOG5[main]: Reading configuration from file stunnel.conf 2016.03.30 09:22:21 LOG5[main]: UTF-8 byte order mark detected 2016.03.30 09:22:21 LOG5[main]: FIPS mode enabled 2016.03.30 09:22:21 LOG7[main]: Compression disabled 2016.03.30 09:22:21 LOG7[main]: Snagged 64 random bytes from C:/.rnd 2016.03.30 09:22:21 LOG7[main]: Wrote 0 new random bytes to C:/.rnd 2016.03.30 09:22:21 LOG7[main]: PRNG seeded successfully 2016.03.30 09:22:21 LOG6[main]: Initializing service [df-pop3s] 2016.03.30 09:22:23 LOG7[main]: No certificate or private key specified 2016.03.30 09:22:23 LOG7[main]: SSL options: 0x03000004 (+0x03000000l, -0x00000000) 2016.03.30 09:22:23 LOG6[main]: Initializing service [df-imaps] 2016.03.30 09:22:23 LOG7[main]: No certificate or private key specified 2016.03.30 09:22:23 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2016.03.30 09:22:23 LOG6[main]: Initializing service [df-smtps] 2016.03.30 09:22:23 LOG7[main]: No certificate or private key specified 2016.03.30 09:22:23 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2016.03.30 09:22:23 LOG5[main]: Configuration successful 2016.03.30 09:22:23 LOG7[main]: Listening file descriptor created (FD=428) 2016.03.30 09:22:23 LOG7[main]: Service [df-pop3s] (FD=428) bound to 127.0.0.1:110 2016.03.30 09:22:23 LOG7[main]: Listening file descriptor created (FD=432) 2016.03.30 09:22:23 LOG7[main]: Service [df-imaps] (FD=432) bound to 127.0.0.1:143 2016.03.30 09:22:23 LOG7[main]: Listening file descriptor created (FD=436) 2016.03.30 09:22:23 LOG7[main]: Service [df-smtps] (FD=436) bound to 127.0.0.1:25 2016.03.30 09:22:42 LOG7[main]: Found 1 ready file descriptor(s) 2016.03.30 09:22:42 LOG7[main]: FD=352 ifds=r-x ofds=--- 2016.03.30 09:22:42 LOG7[main]: FD=428 ifds=r-x ofds=r-- 2016.03.30 09:22:42 LOG7[main]: FD=432 ifds=r-x ofds=--- 2016.03.30 09:22:42 LOG7[main]: Service [df-pop3s] accepted (FD=460) from 127.0.0.1:1878 2016.03.30 09:22:42 LOG7[main]: Creating a new thread 2016.03.30 09:22:42 LOG7[main]: New thread created 2016.03.30 09:22:42 LOG7[0]: Service [df-pop3s] started 2016.03.30 09:22:42 LOG5[0]: Service [df-pop3s] accepted connection from 127.0.0.1:1878 2016.03.30 09:22:42 LOG6[0]: s_connect: connecting 134.119.18.26:995 2016.03.30 09:22:42 LOG7[0]: s_connect: s_poll_wait 134.119.18.26:995: waiting 10 seconds 2016.03.30 09:22:42 LOG5[0]: s_connect: connected 134.119.18.26:995 2016.03.30 09:22:42 LOG5[0]: Service [df-pop3s] connected remote server from 192.168.1.2:1879 2016.03.30 09:22:42 LOG7[0]: Remote descriptor (FD=484) initialized 2016.03.30 09:22:42 LOG6[0]: SNI: sending servername: sslin.df.eu 2016.03.30 09:22:42 LOG7[0]: SSL state (connect): before/connect initialization 2016.03.30 09:22:42 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A 2016.03.30 09:22:42 LOG7[0]: SSL state (connect): SSLv3 read server hello A 2016.03.30 09:22:42 LOG7[0]: Verification started at depth=2: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA 2016.03.30 09:22:42 LOG7[0]: CERT: Pre-verification succeeded 2016.03.30 09:22:42 LOG7[0]: OCSP: Ignoring root certificate 2016.03.30 09:22:42 LOG6[0]: Certificate accepted at depth=2: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA 2016.03.30 09:22:42 LOG7[0]: Verification started at depth=1: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 2016.03.30 09:22:42 LOG7[0]: CERT: Pre-verification succeeded 2016.03.30 09:22:42 LOG5[0]: OCSP: Connecting the AIA responder "http://ocsp.globalsign.com/rootr1" 2016.03.30 09:22:46 LOG6[0]: s_connect: connecting 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: s_connect: s_poll_wait 104.16.25.216:80: waiting 10 seconds 2016.03.30 09:22:46 LOG5[0]: s_connect: connected 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Connected ocsp.globalsign.com:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Response received 2016.03.30 09:22:46 LOG6[0]: OCSP: Status: good 2016.03.30 09:22:46 LOG6[0]: OCSP: This update: Mar 30 05:42:27 2016 GMT 2016.03.30 09:22:46 LOG6[0]: OCSP: Next update: Apr 3 05:42:27 2016 GMT 2016.03.30 09:22:46 LOG5[0]: OCSP: Certificate accepted 2016.03.30 09:22:46 LOG6[0]: Certificate accepted at depth=1: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 2016.03.30 09:22:46 LOG7[0]: Verification started at depth=0: C=DE, OU=Domain Control Validated, CN=sslin.df.eu 2016.03.30 09:22:46 LOG7[0]: CERT: Pre-verification succeeded 2016.03.30 09:22:46 LOG6[0]: CERT: Host name "sslin.df.eu" matched with "sslin.df.eu" 2016.03.30 09:22:46 LOG6[0]: CERT: Locally installed certificate matched 2016.03.30 09:22:46 LOG5[0]: OCSP: Connecting the AIA responder "http://ocsp2.globalsign.com/gsalphasha2g2" 2016.03.30 09:22:46 LOG6[0]: s_connect: connecting 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: s_connect: s_poll_wait 104.16.25.216:80: waiting 10 seconds 2016.03.30 09:22:46 LOG5[0]: s_connect: connected 104.16.25.216:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Connected ocsp2.globalsign.com:80 2016.03.30 09:22:46 LOG7[0]: OCSP: Response received 2016.03.30 09:22:46 LOG6[0]: OCSP: Status: good 2016.03.30 09:22:46 LOG6[0]: OCSP: This update: Mar 27 21:09:59 2016 GMT 2016.03.30 09:22:46 LOG6[0]: OCSP: Next update: Mar 31 21:09:59 2016 GMT 2016.03.30 09:22:46 LOG5[0]: OCSP: Certificate accepted 2016.03.30 09:22:46 LOG5[0]: Certificate accepted at depth=0: C=DE, OU=Domain Control Validated, CN=sslin.df.eu 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server certificate A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server key exchange A 2016.03.30 09:22:46 LOG6[0]: Client certificate not requested 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server done A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 write client key exchange A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 write change cipher spec A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 write finished A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 flush data 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read server session ticket A 2016.03.30 09:22:46 LOG7[0]: SSL state (connect): SSLv3 read finished A 2016.03.30 09:22:46 LOG7[0]: 1 client connect(s) requested 2016.03.30 09:22:46 LOG7[0]: 1 client connect(s) succeeded 2016.03.30 09:22:46 LOG7[0]: 0 client renegotiation(s) requested 2016.03.30 09:22:46 LOG7[0]: 0 session reuse(s) 2016.03.30 09:22:46 LOG6[0]: SSL connected: new session negotiated 2016.03.30 09:22:46 LOG7[0]: Peer certificate was cached (4539 bytes) 2016.03.30 09:22:46 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption) 2016.03.30 09:22:46 LOG7[0]: Compression: null, expansion: null 2016.03.30 09:23:01 LOG7[0]: SSL alert (read): warning: close notify 2016.03.30 09:23:01 LOG6[0]: SSL closed (SSL_read) 2016.03.30 09:23:01 LOG7[0]: Sent socket write shutdown 2016.03.30 09:23:01 LOG6[0]: Read socket closed (readsocket) 2016.03.30 09:23:01 LOG7[0]: Sending close_notify alert 2016.03.30 09:23:01 LOG7[0]: SSL alert (write): warning: close notify 2016.03.30 09:23:01 LOG6[0]: SSL_shutdown successfully sent close_notify alert 2016.03.30 09:23:01 LOG5[0]: Connection closed: 304 byte(s) sent to SSL, 545297 byte(s) sent to socket 2016.03.30 09:23:01 LOG7[0]: Remote descriptor (FD=484) closed 2016.03.30 09:23:01 LOG7[0]: Local descriptor (FD=460) closed 2016.03.30 09:23:01 LOG7[0]: Service [df-pop3s] finished (0 left) 2016.03.30 09:23:02 LOG7[main]: Found 1 ready file descriptor(s) 2016.03.30 09:23:02 LOG7[main]: FD=352 ifds=r-x ofds=--- 2016.03.30 09:23:02 LOG7[main]: FD=428 ifds=r-x ofds=r-- 2016.03.30 09:23:02 LOG7[main]: FD=432 ifds=r-x ofds=--- 2016.03.30 09:23:02 LOG7[main]: Service [df-pop3s] accepted (FD=472) from 127.0.0.1:1882 2016.03.30 09:23:02 LOG7[main]: Creating a new thread 2016.03.30 09:23:02 LOG7[main]: New thread created 2016.03.30 09:23:02 LOG7[1]: Service [df-pop3s] started 2016.03.30 09:23:02 LOG5[1]: Service [df-pop3s] accepted connection from 127.0.0.1:1882 2016.03.30 09:23:02 LOG6[1]: s_connect: connecting 134.119.18.26:995 2016.03.30 09:23:02 LOG7[1]: s_connect: s_poll_wait 134.119.18.26:995: waiting 10 seconds 2016.03.30 09:23:02 LOG5[1]: s_connect: connected 134.119.18.26:995 2016.03.30 09:23:02 LOG5[1]: Service [df-pop3s] connected remote server from 192.168.1.2:1883 2016.03.30 09:23:02 LOG7[1]: Remote descriptor (FD=468) initialized 2016.03.30 09:23:02 LOG6[1]: SNI: sending servername: sslin.df.eu 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): before/connect initialization 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 write client hello A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 read server hello A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 read finished A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 write change cipher spec A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 write finished A 2016.03.30 09:23:02 LOG7[1]: SSL state (connect): SSLv3 flush data 2016.03.30 09:23:02 LOG7[1]: 2 client connect(s) requested 2016.03.30 09:23:02 LOG7[1]: 2 client connect(s) succeeded 2016.03.30 09:23:02 LOG7[1]: 0 client renegotiation(s) requested 2016.03.30 09:23:02 LOG7[1]: 1 session reuse(s) 2016.03.30 09:23:02 LOG6[1]: SSL connected: previous session reused 2016.03.30 09:23:08 LOG7[1]: SSL alert (read): warning: close notify 2016.03.30 09:23:08 LOG6[1]: SSL closed (SSL_read) 2016.03.30 09:23:08 LOG7[1]: Sent socket write shutdown 2016.03.30 09:23:08 LOG6[1]: Read socket closed (readsocket) 2016.03.30 09:23:08 LOG7[1]: Sending close_notify alert 2016.03.30 09:23:08 LOG7[1]: SSL alert (write): warning: close notify 2016.03.30 09:23:08 LOG6[1]: SSL_shutdown successfully sent close_notify alert 2016.03.30 09:23:08 LOG5[1]: Connection closed: 149 byte(s) sent to SSL, 336471 byte(s) sent to socket 2016.03.30 09:23:08 LOG7[1]: Remote descriptor (FD=468) closed 2016.03.30 09:23:08 LOG7[1]: Local descriptor (FD=472) closed 2016.03.30 09:23:08 LOG7[1]: Service [df-pop3s] finished (0 left) 2016.03.30 09:23:21 LOG6[cron]: Executing cron jobs 2016.03.30 09:23:21 LOG6[cron]: Cron jobs completed in 0 seconds 2016.03.30 09:23:21 LOG7[cron]: Waiting 86400 seconds
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Wed, 2016-03-30 07:01:29 -0500, Josealf.rm wrote:
Ivan,
When you say you configure your AV-scanner to listen on localhost, how do you do it? Which ports does AV-scanner listen to? You can't have both stunnel and Avira listening on the same ports on the same interface.
Check your traffic flow. It should be something like:
Client -> Avira -> stunnel -> provider.
Only the connection stunnel-provider will be encrypted.
I thought the virus scanners are intercepting the network traffic between TCP/IP stack and Ethernet driver and thus don't have to do anything with TCP ports.
If the virus scanner would work as an IP application (as stunnel does), the viruses had to cooperate with the scanner in order to be detected.
Ludolf
Ludolf,
You're probably right. I'm also doing a wild guess here. But the only way to solve the problem is to know and understand the traffic flow.
Regards Jose
El 30 mar 2016, a las 7:12, Ludolf Holzheid lholzheid@bihl-wiedemann.de escribió:
On Wed, 2016-03-30 07:01:29 -0500, Josealf.rm wrote: Ivan,
When you say you configure your AV-scanner to listen on localhost, how do you do it? Which ports does AV-scanner listen to? You can't have both stunnel and Avira listening on the same ports on the same interface.
Check your traffic flow. It should be something like:
Client -> Avira -> stunnel -> provider.
Only the connection stunnel-provider will be encrypted.
I thought the virus scanners are intercepting the network traffic between TCP/IP stack and Ethernet driver and thus don't have to do anything with TCP ports.
If the virus scanner would work as an IP application (as stunnel does), the viruses had to cooperate with the scanner in order to be detected.
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----Ursprüngliche Nachricht----- Von: Josealf.rm [mailto:josealf@rocketmail.com] Gesendet: Mittwoch, 30. März 2016 14:01 An: de_masi@blu-it.de Cc: stunnel-users@stunnel.org Betreff: Re: [stunnel-users] Incoming port ignored
Ivan,
When you say you configure your AV-scanner to listen on localhost, how do you do it? Which ports does AV-scanner listen to?
Hi Josealf,
I just tell Avira e-mail scanner on which ports it has to listen (POP3: 110 / IMAP: 143 / SMTP: 25). I can't configure any IP - but this is not necessary, because as I mentioned before: When configuring the e-mail client with an unencrypted and direct connection to my mailprovider, Avira is able to scan the e-mails. So it already listens on localhost.
I found that workaround here:
https://answers.avira.com/de/question/avira-email-schutz-blockiert-ssltlssta rttlsverbindung-9253
And Outlook & Thunderbird are listening on 127.0.0.1:110, 127.0.0.1:143, 127.0.0.1:25 ... it worked!!!
I think from the moment I installed stunnel as a service problems started. The servive-daemon also told me, that there is no config (?!). So I switched back to the "GUI Start" and now it doesn't work any more :-/
You can't have both stunnel and Avira listening on the same ports on the
same interface.
OK, I can change the listening ports (both in stunnel and/or Avira), but how do I get them to work together then? Sorry, I'am a litte bit confused now...
Check your traffic flow. It should be something like:
Client -> Avira -> stunnel -> provider.
Well, this seem logical to me, but when I switch off the mail-scanner it doesn't interrupt the fetching or sending, only when I stopt stunnel e-mails can't be fetched or send any more. So it seems to me somehow the mail-client connects directly to stunnel?
Only the connection stunnel-provider will be encrypted.
Yes, that's right.
Regards, Ivan
Ivan, I checked the references. It looks like Avira works more or less as Ludolf thinks. Somehow, it intercepts connections to SMTP, POP3 and IMAP servers. The scan should be transparent to both mail client and server. If the traffic is encrypted between client and server, it can't scan it. Now, a connection can start in the standard (non-encrypted) ports and it can be upgraded to a secure one. If this happens, Avira blocks the connection. To avoid this, you must ensure your mail client communicates only in clear text. This is the crucial part. No SSL/TLS/STARTTLS allowed. https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/935
So, I think your workaround configuration should work. Set your accepts to 127.0.0.1:port (where port=25,110,143). This blocks connections from other machines to your stunnel service. Configure your e-mail client to send mail via 127.0.0.1:25 and fetch POP3 and IMAP Mail from 127.0.0.1:110 and 127.0.0.1:143 only with no encryption. Note: your mail client is NOT listening on those ports (stunnel is or will be listening). Your mail client connects to those ports.
Test as follows: 1. Disable Avira.2. If you have stunnel in service mode, make sure it is stopped. 2. Start stunnel in application mode. Make sure there are no errors. The log should tell you it is listening on ports 25,110,143. You can also use tcpview utility from sysinternals (now Microsoft) to verify this. 3. Try sending/receiving e-mail.4. If this works, enable Avira and test again.5. Report results.
Regards,Jose
On Wednesday, March 30, 2016 8:51 AM, Ivan De Masi de_masi@blu-it.de wrote:
I just tell Avira e-mail scanner on which ports it has to listen (POP3: 110 / IMAP: 143 / SMTP: 25). I can't configure any IP - but this is not necessary, because as I mentioned before: When configuring the e-mail client with an unencrypted and direct connection to my mailprovider, Avira is able to scan the e-mails. So it already listens on localhost.
I found that workaround here:
https://answers.avira.com/de/question/avira-email-schutz-blockiert-ssltlssta rttlsverbindung-9253
And Outlook & Thunderbird are listening on 127.0.0.1:110, 127.0.0.1:143, 127.0.0.1:25 ... it worked!!! --- WRONG
I think from the moment I installed stunnel as a service problems started. The servive-daemon also told me, that there is no config (?!). So I switched back to the "GUI Start" and now it doesn't work any more :-/
Well, this seem logical to me, but when I switch off the mail-scanner it doesn't interrupt the fetching or sending, only when I stopt stunnel e-mails can't be fetched or send any more. So it seems to me somehow the mail-client connects directly to stunnel?
Only the connection stunnel-provider will be encrypted.
Yes, that's right.
Regards, Ivan
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi Jose,
thanks for your effort!
What you describe is exact the way I already configued stunnel & the mail-clients. Stopping Avira doesn't make any difference - e-mails still can be send or recieved. tcpview showed me the the listening ports as expected 25,110,143 PLUS two ports above Port 8000 (e.g. 8248 & 8249):
stunnel.exe 6992 TCP 127.0.0.1 25 0.0.0.0 0 LISTENING stunnel.exe 6992 TCP 127.0.0.1 110 0.0.0.0 0 LISTENING stunnel.exe 6992 TCP 127.0.0.1 143 0.0.0.0 0 LISTENING stunnel.exe 6992 TCP 127.0.0.1 8248 127.0.0.1 8249 ESTABLISHED stunnel.exe 6992 TCP 127.0.0.1 8249 127.0.0.1 8248 ESTABLISHED
BUT what I tried again: Instead of setting 127.0.0.1:port (25,11,143) in the mail-client config, I switched back to pop3.my-provider.net / imap.my-provider.net / smtp.my-provider.net with no SSL/TLS/STARTTLS and then Avira is able to scan the e-mails!!! So my suspicion is, that when setting the mail-client config to 127.0.0.1:port, stunnel gets the e-mails BEFORE Avira and sends them across the encrypted tunnel (and Avira is again not able to read the traffic inside that tunnel). So the traffic flow with the 127.0.0.1:port settings is: Client -> stunnel -> Avira (blind) -> provider
I still wonder how I ever got the setup running successful when the traffic flow really is going that way.
Regards, Ivan
_____
Von: Jose Alf. [mailto:josealf@rocketmail.com] Gesendet: Donnerstag, 31. März 2016 05:22 An: de_masi@blu-it.de; stunnel-users@stunnel.org Betreff: Re: [stunnel-users] Incoming port ignored
Ivan,
I checked the references. It looks like Avira works more or less as Ludolf thinks. Somehow, it intercepts connections to SMTP, POP3 and IMAP servers. The scan should be transparent to both mail client and server. If the traffic is encrypted between client and server, it can't scan it.
Now, a connection can start in the standard (non-encrypted) ports and it can be upgraded to a secure one. If this happens, Avira blocks the connection. To avoid this, you must ensure your mail client communicates only in clear text. This is the crucial part. No SSL/TLS/STARTTLS allowed.
https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/935
So, I think your workaround configuration should work. Set your accepts to 127.0.0.1:port (where port=25,110,143). This blocks connections from other machines to your stunnel service.
Configure your e-mail client to send mail via 127.0.0.1:25 and fetch POP3 and IMAP Mail from 127.0.0.1:110 and 127.0.0.1:143 only with no encryption. Note: your mail client is NOT listening on those ports (stunnel is or will be listening). Your mail client connects to those ports.
Test as follows:
1. Disable Avira. 2. If you have stunnel in service mode, make sure it is stopped.
2. Start stunnel in application mode. Make sure there are no errors. The log should tell you it is listening on ports 25,110,143. You can also use tcpview utility from sysinternals (now Microsoft) to verify this.
3. Try sending/receiving e-mail. 4. If this works, enable Avira and test again. 5. Report results.
Regards, Jose
On Wednesday, March 30, 2016 8:51 AM, Ivan De Masi de_masi@blu-it.de wrote:
I just tell Avira e-mail scanner on which ports it has to listen (POP3: 110 / IMAP: 143 / SMTP: 25). I can't configure any IP - but this is not necessary, because as I mentioned before: When configuring the e-mail client with an unencrypted and direct connection to my mailprovider, Avira is able to scan the e-mails. So it already listens on localhost.
I found that workaround here:
https://answers.avira.com/de/question/avira-email-schutz-blockiert-ssltlssta rttlsverbindung-9253
And Outlook & Thunderbird are listening on 127.0.0.1:110, 127.0.0.1:143, 127.0.0.1:25 ... it worked!!! --- WRONG
I think from the moment I installed stunnel as a service problems started. The servive-daemon also told me, that there is no config (?!). So I switched back to the "GUI Start" and now it doesn't work any more :-/
Well, this seem logical to me, but when I switch off the mail-scanner it doesn't interrupt the fetching or sending, only when I stopt stunnel e-mails can't be fetched or send any more. So it seems to me somehow the mail-client connects directly to stunnel?
Only the connection stunnel-provider will be encrypted.
Yes, that's right.
Regards,
Ivan
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Ivan De Masi -
Jose Alf. -
Josealf.rm
-
Ludolf Holzheid