This has been working for years and recently stopped. I am a novice here. Can someone look at this and please tell me what is happening? It is an old server that does not support TLS so we put Stunnel in front of it. I am sure the version of stunnel is pretty old. Maybe a TLS level issue?
2021.10.26 14:47:30 LOG7[21968:139797665822784]: SSL options set: 0x01000004 2021.10.26 14:47:30 LOG6[21968:139797665822784]: Initializing service [SMTP Outgoing] 2021.10.26 14:47:30 LOG7[21968:139797665822784]: SSL options set: 0x01000004 2021.10.26 14:47:30 LOG6[21968:139797665822784]: Initializing service [IMAP] 2021.10.26 14:47:30 LOG7[21968:139797665822784]: SSL options set: 0x01000004 2021.10.26 14:47:30 LOG5[21968:139797665822784]: Configuration successful 2021.10.26 14:47:30 LOG7[21968:139797665822784]: Service [POP3 Incoming] (FD=12) bound to 0.0.0.0:110 2021.10.26 14:47:30 LOG7[21968:139797665822784]: Service [SMTP Outgoing] (FD=13) bound to 0.0.0.0:25 2021.10.26 14:47:30 LOG7[21968:139797665822784]: Service [IMAP] (FD=14) bound to 0.0.0.0:143 2021.10.26 14:47:30 LOG7[21974:139797665822784]: Created pid file /var/run/stunnel.pid 2021.10.26 14:48:30 LOG7[21974:139797665822784]: Service [IMAP] accepted (FD=3) from 10.55.3.159:1852 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Service [IMAP] started 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Waiting for a libwrap process 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Acquired libwrap process #0 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Releasing libwrap process #0 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Released libwrap process #0 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Service [IMAP] permitted by libwrap from 10.55.3.159:1852 2021.10.26 14:48:30 LOG5[21974:139797665818368]: Service [IMAP] accepted connection from 10.55.3.159:1852 2021.10.26 14:48:30 LOG6[21974:139797665818368]: connect_blocking: connecting 52.96.87.226:993 2021.10.26 14:48:30 LOG7[21974:139797665818368]: connect_blocking: s_poll_wait 52.96.87.226:993: waiting 10 seconds 2021.10.26 14:48:30 LOG5[21974:139797665818368]: connect_blocking: connected 52.96.87.226:993 2021.10.26 14:48:30 LOG5[21974:139797665818368]: Service [IMAP] connected remote server from 10.55.3.200:51358 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Remote socket (FD=16) initialized 2021.10.26 14:48:30 LOG7[21974:139797665818368]: SNI: sending servername: outlook.office365.com 2021.10.26 14:48:30 LOG7[21974:139797665818368]: SSL state (connect): before/connect initialization 2021.10.26 14:48:30 LOG7[21974:139797665818368]: SSL state (connect): SSLv3 write client hello A 2021.10.26 14:48:30 LOG3[21974:139797665818368]: SSL_connect: Peer suddenly disconnected 2021.10.26 14:48:30 LOG5[21974:139797665818368]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Remote socket (FD=16) closed 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Local socket (FD=3) closed 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Service [IMAP] finished (0 left)
The fact that the log mentions an SSLv3 connection attempt, rather than something more modern, might well indicate what you suspect - I would be very surprised if the O365 email service still accepted SSLv3 connections.
-- Mike S
Michal, at the time of writting this, the web interface for the mailing lists gives a not found error.
On Tue, 26 Oct 2021 15:13:22 +0000 (UTC) Mike Spooner mikes@aalin.co.uk wrote:
The fact that the log mentions an SSLv3 connection attempt, rather than something more modern, might well indicate what you suspect - I would be very surprised if the O365 email service still accepted SSLv3 connections.
Hi,
it has been told earlier (at least by me), SSLv3 in the logs means nothing. It might be deceiving, but those lines aren't telling the TLS version being used.
The hint indicating it is where it says "TLS_[version] ciphersuite:".
On that log it doesn't even appear because they couldn't even negotiate them.
Could it be by TLS version?, maybe.
Ben, try Thomas advice setting in your service:
sslVersion = your desired version from what manual tells
Without know that service settings, is the only advice to give, I think.
Regards.
P.S.: thanks Michal for fixing the web interface of the lists, even though I see missing mails.
Have you been cracked?
On Fri, 26 Nov 2021 02:57:56 +0100 Javier jamilist.stn@gmx.es wrote:
Michal, at the time of writting this, the web interface for the mailing lists gives a not found error.
That is not true.
Is working, sorry, I just re-sent, a month later, without further editing.
Maybe this is the issue? I am seeing TLSv1? I think Microsoft deprecated that. I have tried to update the config file but cannot get it to show anything but v1.
Global options: debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") curve = prime256v1 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
From: Ben Bazian via stunnel-users stunnel-users@stunnel.org Sent: Tuesday, October 26, 2021 10:55 AM To: jose isaias cabrera jicman@gmail.com; stunnel-users@stunnel.org Subject: [stunnel-users] Office 365 connections stopped working
[E X T E R N A L] This has been working for years and recently stopped. I am a novice here. Can someone look at this and please tell me what is happening? It is an old server that does not support TLS so we put Stunnel in front of it. I am sure the version of stunnel is pretty old. Maybe a TLS level issue?
2021.10.26 14:47:30 LOG7[21968:139797665822784]: SSL options set: 0x01000004 2021.10.26 14:47:30 LOG6[21968:139797665822784]: Initializing service [SMTP Outgoing] 2021.10.26 14:47:30 LOG7[21968:139797665822784]: SSL options set: 0x01000004 2021.10.26 14:47:30 LOG6[21968:139797665822784]: Initializing service [IMAP] 2021.10.26 14:47:30 LOG7[21968:139797665822784]: SSL options set: 0x01000004 2021.10.26 14:47:30 LOG5[21968:139797665822784]: Configuration successful 2021.10.26 14:47:30 LOG7[21968:139797665822784]: Service [POP3 Incoming] (FD=12) bound to 0.0.0.0:110 2021.10.26 14:47:30 LOG7[21968:139797665822784]: Service [SMTP Outgoing] (FD=13) bound to 0.0.0.0:25 2021.10.26 14:47:30 LOG7[21968:139797665822784]: Service [IMAP] (FD=14) bound to 0.0.0.0:143 2021.10.26 14:47:30 LOG7[21974:139797665822784]: Created pid file /var/run/stunnel.pid 2021.10.26 14:48:30 LOG7[21974:139797665822784]: Service [IMAP] accepted (FD=3) from 10.55.3.159:1852 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Service [IMAP] started 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Waiting for a libwrap process 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Acquired libwrap process #0 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Releasing libwrap process #0 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Released libwrap process #0 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Service [IMAP] permitted by libwrap from 10.55.3.159:1852 2021.10.26 14:48:30 LOG5[21974:139797665818368]: Service [IMAP] accepted connection from 10.55.3.159:1852 2021.10.26 14:48:30 LOG6[21974:139797665818368]: connect_blocking: connecting 52.96.87.226:993 2021.10.26 14:48:30 LOG7[21974:139797665818368]: connect_blocking: s_poll_wait 52.96.87.226:993: waiting 10 seconds 2021.10.26 14:48:30 LOG5[21974:139797665818368]: connect_blocking: connected 52.96.87.226:993 2021.10.26 14:48:30 LOG5[21974:139797665818368]: Service [IMAP] connected remote server from 10.55.3.200:51358 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Remote socket (FD=16) initialized 2021.10.26 14:48:30 LOG7[21974:139797665818368]: SNI: sending servername: outlook.office365.com 2021.10.26 14:48:30 LOG7[21974:139797665818368]: SSL state (connect): before/connect initialization 2021.10.26 14:48:30 LOG7[21974:139797665818368]: SSL state (connect): SSLv3 write client hello A 2021.10.26 14:48:30 LOG3[21974:139797665818368]: SSL_connect: Peer suddenly disconnected 2021.10.26 14:48:30 LOG5[21974:139797665818368]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Remote socket (FD=16) closed 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Local socket (FD=3) closed 2021.10.26 14:48:30 LOG7[21974:139797665818368]: Service [IMAP] finished (0 left)
Unless you are using TLSv1.2 or higher, you **will not** be able to talk to MS365. This was what they put into effect last month, and is a hard retirement.
You need to define your version to be TLSv1.2 for the client and/or server connectivity. Microsoft even made this announcement six months before they deprecated TLSv1 and TLSv1.1. Try setting your version to TLSv1.2 and see if it works now.
Thomas
On 10/26/21 11:33, Ben Bazian via stunnel-users wrote:
sslVersion = TLSv1
-
Ben Bazian -
Javier -
Mike Spooner -
Thomas Ward