I am running Stunnel 5.14 on my Mac mail server (OS X 10.7.5), but trying to send emails using ports 465 & 587 does not work:
Mail.app says:
Mail was unable to connect to server “mail.bordo.com.au http://mail.bordo.com.au/” using SSL on port 587. Verify that this server supports SSL and that your account settings are correct.
Log from Stunnel is:
2015.03.31 09:27:56 LOG7[ui]: Clients allowed=500 2015.03.31 09:27:56 LOG5[ui]: stunnel 5.14 on x86_64-apple-darwin11.4.2 platform 2015.03.31 09:27:56 LOG5[ui]: Compiled/running with OpenSSL 1.0.2a 19 Mar 2015 2015.03.31 09:27:56 LOG5[ui]: Threading:PTHREAD Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2015.03.31 09:27:56 LOG7[ui]: errno: (*__error()) 2015.03.31 09:27:56 LOG5[ui]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf 2015.03.31 09:27:56 LOG5[ui]: UTF-8 byte order mark not detected 2015.03.31 09:27:56 LOG5[ui]: FIPS mode disabled 2015.03.31 09:27:56 LOG7[ui]: Compression disabled 2015.03.31 09:27:56 LOG7[ui]: Snagged 64 random bytes from /dev/urandom 2015.03.31 09:27:56 LOG7[ui]: PRNG seeded successfully 2015.03.31 09:27:56 LOG6[ui]: Initializing service [ssmtp] 2015.03.31 09:27:56 LOG6[ui]: Loading certificate from file: /usr/local/etc/postfix/smtpd.cert 2015.03.31 09:27:56 LOG6[ui]: Loading key from file: /usr/local/etc/postfix/smtpd.key 2015.03.31 09:27:56 LOG7[ui]: Private key check succeeded 2015.03.31 09:27:56 LOG7[ui]: DH initialization 2015.03.31 09:27:56 LOG7[ui]: Using DH parameters from /usr/local/etc/postfix/smtpd.cert 2015.03.31 09:27:56 LOG7[ui]: DH initialized with 2048-bit key 2015.03.31 09:27:56 LOG7[ui]: ECDH initialization 2015.03.31 09:27:56 LOG7[ui]: ECDH initialized with curve prime256v1 2015.03.31 09:27:56 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.03.31 09:27:56 LOG6[ui]: Initializing service [ssmtp2] 2015.03.31 09:27:56 LOG6[ui]: Loading certificate from file: /usr/local/etc/postfix/smtpd.cert 2015.03.31 09:27:56 LOG6[ui]: Loading key from file: /usr/local/etc/postfix/smtpd.key 2015.03.31 09:27:56 LOG7[ui]: Private key check succeeded 2015.03.31 09:27:56 LOG7[ui]: DH initialization 2015.03.31 09:27:56 LOG7[ui]: Using DH parameters from /usr/local/etc/postfix/smtpd.cert 2015.03.31 09:27:56 LOG7[ui]: DH initialized with 2048-bit key 2015.03.31 09:27:56 LOG7[ui]: ECDH initialization 2015.03.31 09:27:56 LOG7[ui]: ECDH initialized with curve prime256v1 2015.03.31 09:27:56 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.03.31 09:27:56 LOG5[ui]: Configuration successful 2015.03.31 09:27:56 LOG7[ui]: Listening file descriptor created (FD=6) 2015.03.31 09:27:56 LOG7[ui]: Service [ssmtp] (FD=6) bound to 0.0.0.0:465 2015.03.31 09:27:56 LOG7[ui]: Listening file descriptor created (FD=7) 2015.03.31 09:27:56 LOG7[ui]: Service [ssmtp2] (FD=7) bound to 0.0.0.0:587
/usr/local/etc/stunnel/stunnel.conf has:
[ssmtp] client = no accept = 465 connect = 127.0.0.1:25
[ssmtp2] client = no accept = 587 connect = 127.0.0.1:25
The mail server is running on the same machine.
I can send emails using port 25 with no SSL. (I have to have the ‘Allow insecure authentication’ ticked).
When I try to send using ports 587 or 465 there is nothing logged by stunnel (or anywhere else that I can see).
Firewall is not blocking anything:
sudo ipfw list 65535 allow ip from any to any
Postfix is the SMTP server, Dovecot for IMAP.
Any suggestions?
Thanks,
James.
OK, I found out what the problem was - stunnel was not running!
There was nothing in the log to indicate that it was shutting down. Started it up again and everything started to work as before.
One thing I have noticed is that in Mail.app I have to turn on ‘Allow insecure authentication’ as otherwise it will give up after ages, saying that the certificate is invalid.
2015.03.31 11:06:17 LOG7[main]: Service [ssmtp] accepted (FD=3) from 192.168.1.10:56364 2015.03.31 11:06:17 LOG7[26]: Service [ssmtp] started 2015.03.31 11:06:17 LOG5[26]: Service [ssmtp] accepted connection from 192.168.1.10:56364 2015.03.31 11:06:17 LOG7[26]: SSL state (accept): before/accept initialization 2015.03.31 11:11:17 LOG6[26]: ssl_start: s_poll_wait: TIMEOUTbusy exceeded: sending reset 2015.03.31 11:11:17 LOG5[26]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.03.31 11:11:17 LOG7[26]: Local socket (FD=3) closed 2015.03.31 11:11:17 LOG7[26]: Service [ssmtp] finished (0 left)
Mail.app simply logs this:
31/3/2015 11:06:17.520 am Mail[3172]: CFNetwork SSLHandshake failed (-9807)
The client is running Yosemite 10.10.3 latest beta.
Any ideas why it would think it is invalid? Any way to find out?
Thanks,
James.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 31.03.2015 03:22, James Brown wrote:
OK, I found out what the problem was - stunnel was not running!
There was nothing in the log to indicate that it was shutting down. Started it up again and everything started to work as before.
It may have been killed with KILL signal.
One thing I have noticed is that in Mail.app I have to turn on ‘Allow insecure authentication’ as otherwise it will give up after ages, saying that the certificate is invalid.
Any ideas why it would think it is invalid? Any way to find out?
In your case "invalid" may just mean "not trusted". Usually GUI clients display a dialog allowing the certificate to be added to the trusted certificate store. In MacOS X it is Keychain. You may need to import your certificate manually instead.
Best regards, Michal Trojnara
-
James Brown -
Michal Trojnara