I'm trying to set up an SSL connection from stunnel to Postfix, but can not get it to work.
stunnel log says:
2006.11.16 11:35:31 LOG7[5240:25188864]: ssmtp started 2006.11.16 11:35:31 LOG7[5240:25188864]: FD 9 in non-blocking mode 2006.11.16 11:35:31 LOG7[5240:25188864]: TCP_NODELAY option set on local socket 2006.11.16 11:35:31 LOG7[5240:25188864]: FD 10 in non-blocking mode 2006.11.16 11:35:31 LOG7[5240:25188864]: FD 11 in non-blocking mode 2006.11.16 11:35:31 LOG7[5240:25188864]: Connection from 192.168.1.12:51469 permitted by libwrap 2006.11.16 11:35:31 LOG5[5240:25188864]: ssmtp connected from 192.168.1.12:51469 2006.11.16 11:35:31 LOG7[5240:25188864]: FD 10 in non-blocking mode 2006.11.16 11:35:31 LOG7[5240:25188864]: ssmtp connecting 127.0.0.1:25 2006.11.16 11:35:31 LOG7[5240:25188864]: connect_wait: waiting 10 seconds 2006.11.16 11:35:31 LOG7[5240:25188864]: connect_wait: connected 2006.11.16 11:35:31 LOG7[5240:25188864]: Remote FD=10 initialized 2006.11.16 11:35:31 LOG7[5240:25188864]: TCP_NODELAY option set on remote socket 2006.11.16 11:35:31 LOG5[5240:25188864]: Negotiations for smtp (client side) started 2006.11.16 11:35:31 LOG7[5240:2684415368]: Cleaning up the signal pipe 2006.11.16 11:35:31 LOG6[5240:2684415368]: Child process 5251 finished with code 0 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 220 mail3.bordo.com.au ESMTP Postfix 2006.11.16 11:35:31 LOG7[5240:25188864]: -> 220 mail3.bordo.com.au ESMTP Postfix 2006.11.16 11:35:31 LOG7[5240:25188864]: -> EHLO localhost 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-mail3.bordo.com.au 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-SIZE 10240000 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-ETRN 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-AUTH PLAIN LOGIN 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-AUTH=PLAIN LOGIN 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-XFORWARD NAME ADDR PROTO HELO SOURCE 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-ENHANCEDSTATUSCODES 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250-8BITMIME 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 250 DSN 2006.11.16 11:35:31 LOG7[5240:25188864]: -> STARTTLS 2006.11.16 11:35:31 LOG7[5240:25188864]: <- 220 2.0.0 Ready to start TLS 2006.11.16 11:35:31 LOG5[5240:25188864]: Protocol negotiations succeded 2006.11.16 11:35:31 LOG7[5240:25188864]: SSL state (connect): before/ connect initialization 2006.11.16 11:35:31 LOG7[5240:25188864]: SSL state (connect): SSLv2/ v3 write client hello A 2006.11.16 11:40:31 LOG6[5240:25188864]: init_ssl: s_poll_wait timeout 2006.11.16 11:40:31 LOG5[5240:25188864]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.11.16 11:40:31 LOG7[5240:25188864]: ssmtp finished (0 left) 2006.11.16 11:35:31 LOG7[5240:25188864]: ssmtp started
Postfix's log shows: Nov 16 11:35:31 Fax-Machine postfix/smtpd[5252]: connect from localhost[127.0.0.1] Nov 16 11:35:31 Fax-Machine postfix/smtpd[5252]: setting up TLS connection from localhost[127.0.0.1] Nov 16 11:40:31 Fax-Machine postfix/smtpd[5252]: SSL_accept error from localhost[127.0.0.1]: -1 Nov 16 11:40:31 Fax-Machine postfix/smtpd[5252]: lost connection after STARTTLS from localhost[127.0.0.1] Nov 16 11:40:31 Fax-Machine postfix/smtpd[5252]: disconnect from localhost[127.0.0.1]
stunnel.conf is: ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = /etc/postfix/smtpd.cert key = /etc/postfix/smtpd.key
debug=7 output=/dev/stdout
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile ;CAfile = certs.pem ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively you can use CRLfile ;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log
; Use it for client mode ;client = yes
; Service-level configuration
protocol = smtp
sslVersion = all
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
[ssmtp] client = yes accept = 465 connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
Does anyone have any idea where I am going wrong?
Thanks,
James.
On Thu, 16 Nov 2006, James Brown wrote:
I'm trying to set up an SSL connection from stunnel to Postfix, but can not get it to work.
Are you trying to do smtp-client (e.g. Thunderbird) <-TLS-> Stunnel <-plain-> Postfix?
If so you might want to remove the 'client=yes' bit.
protocol = smtp
sslVersion = all
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
[ssmtp] client = yes accept = 465 connect = 25
and put protocol = smtp here.
Jan, changing client=yes to client=no did the trick!
It all works now.
Thanks for your help.
James.
On 16/11/2006, at 5:53 PM, Jan Meijer wrote:
On Thu, 16 Nov 2006, James Brown wrote:
I'm trying to set up an SSL connection from stunnel to Postfix, but can not get it to work.
Are you trying to do smtp-client (e.g. Thunderbird) <-TLS-> Stunnel <-plain-> Postfix?
If so you might want to remove the 'client=yes' bit.
protocol = smtp
sslVersion = all
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
[ssmtp] client = yes accept = 465 connect = 25
and put protocol = smtp here.
On Fri, 17 Nov 2006, James Brown wrote:
Jan, changing client=yes to client=no did the trick!
It all works now.
Thanks for your help.
Enjoy the magic of stunnel :).
James Brown wrote:
[ssmtp] client = yes accept = 465 connect = 25
I'm afraid configuring SSL client to encrypt your loopback interface is not very useful. 8-)
I guess what you want to do is to setup SSL *server* on a separate port.
To do this add the following to your master.cf file:
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
Best regards, Mike
-
James Brown -
Jan Meijer -
Michal Trojnara