Summary of problem (configuration and log details below): I am attempting to configure Stunnel to run a pop3s service on our server so that users can retrieve email securely. Stunnel is started as a systemctl service. If I include both the following in the stunnel.conf:
accept = mail.myserver.net:995 connect = localhost:110
then systemctl will exit immediately with: Service [pop3s]: Each service must define two endpoints stunnel.service: Control process exited, code=exited status=1 Failed to start SSL tunnel for network daemons.
If I comment the connect to 110 then it will start and hang then eventually timeout: stunnel.service: Failed with result 'timeout'.
Below is my stunnel.conf and log excerpt from the start with the connect to 110 commented out.
I would greatly appreciate any advice.
---stunnel.conf
setuid = nobody setgid = nobody pid = /usr/local/var/lib/stunnel/var/run/stunnel.pid
foreground = yes ;debug = info debug = 7 sslVersion = TLSv1.2 output = /usr/local/var/lib/stunnel/var/log/stunnel.log ;ciphers = HIGH:MEDIUM:+DH:!SSLv2:!aNULL:+SHA256:+SHA1:+MD5 ciphers = HIGH:+3DES:+DH:!aNULL:!SSLv2
transparent = yes delay = no fips = no compression = deflate client = no
[pop3s] accept = mail.myserver.net:995 ;connect = localhost:110 cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem exec = /usr/local/sbin/gnu-pop3d execargs = --debug=000 --mdn --timeout=60 --ipv6
----log excerpt ----- 2016.08.17 15:08:55 LOG7[ui]: Clients allowed=500 2016.08.17 15:08:55 LOG5[ui]: stunnel 5.35 on x86_64-unknown-linux-gnu platform 2016.08.17 15:08:55 LOG5[ui]: Compiled/running with OpenSSL 1.0.2h 3 May 2016 2016.08.17 15:08:55 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2016.08.17 15:08:55 LOG7[ui]: errno: (*__errno_location ()) 2016.08.17 15:08:55 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 2016.08.17 15:08:55 LOG5[ui]: UTF-8 byte order mark not detected 2016.08.17 15:08:55 LOG7[cron]: Cron thread initialized 2016.08.17 15:08:55 LOG5[ui]: FIPS mode disabled 2016.08.17 15:08:55 LOG6[ui]: Compression enabled: 1 method(s) 2016.08.17 15:08:55 LOG7[ui]: Snagged 64 random bytes from /dev/urandom 2016.08.17 15:08:55 LOG7[ui]: PRNG seeded successfully 2016.08.17 15:08:55 LOG6[ui]: Initializing service [pop3s] 2016.08.17 15:08:55 LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem 2016.08.17 15:08:55 LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem 2016.08.17 15:08:55 LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem 2016.08.17 15:08:55 LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem 2016.08.17 15:08:55 LOG7[ui]: Private key check succeeded 2016.08.17 15:08:55 LOG7[ui]: DH initialization 2016.08.17 15:08:55 LOG7[ui]: Could not load DH parameters from /etc/stunnel/stunnel.pem 2016.08.17 15:08:55 LOG6[ui]: Using dynamic DH parameters 2016.08.17 15:08:55 LOG7[ui]: ECDH initialization 2016.08.17 15:08:55 LOG7[ui]: ECDH initialized with curve prime256v1 2016.08.17 15:08:55 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000) 2016.08.17 15:08:55 LOG5[ui]: Configuration successful 2016.08.17 15:08:55 LOG7[ui]: Listening file descriptor created (FD=7) 2016.08.17 15:08:55 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2016.08.17 15:08:55 LOG7[ui]: Service [pop3s] (FD=7) bound to 60.62.114.105:995 2016.08.17 15:08:55 LOG6[cron]: Executing cron jobs 2016.08.17 15:08:55 LOG7[ui]: Created pid file /usr/local/var/lib/stunnel/var/run/stunnel.pid 2016.08.17 15:08:55 LOG5[cron]: Updating DH parameters 2016.08.17 15:10:01 LOG5[cron]: DH parameters updated 2016.08.17 15:10:01 LOG6[cron]: Cron jobs completed in 66 seconds 2016.08.17 15:10:01 LOG7[cron]: Waiting 86334 seconds 2016.08.17 15:10:25 LOG7[ui]: Found 1 ready file descriptor(s) 2016.08.17 15:10:25 LOG7[ui]: FD=4 events=0x2001 revents=0x1 2016.08.17 15:10:25 LOG7[ui]: FD=7 events=0x2001 revents=0x0 2016.08.17 15:10:25 LOG7[ui]: Dispatching signals from the signal pipe 2016.08.17 15:10:25 LOG7[ui]: Processing SIGNAL_TERMINATE 2016.08.17 15:10:25 LOG5[ui]: Terminated 2016.08.17 15:10:25 LOG7[ui]: Closing service [pop3s] 2016.08.17 15:10:25 LOG7[ui]: Service [pop3s] closed (FD=7) 2016.08.17 15:10:25 LOG7[ui]: Service [pop3s] closed 2016.08.17 15:10:25 LOG7[ui]: removing pid file /usr/local/var/lib/stunnel/var/run/stunnel.pid
On Wed, Aug 17, 2016 at 04:37:12PM -0400, SP wrote:
Summary of problem (configuration and log details below): I am attempting to configure Stunnel to run a pop3s service on our server so that users can retrieve email securely. Stunnel is started as a systemctl service. If I include both the following in the stunnel.conf:
accept = mail.myserver.net:995 connect = localhost:110
then systemctl will exit immediately with: Service [pop3s]: Each service must define two endpoints stunnel.service: Control process exited, code=exited status=1 Failed to start SSL tunnel for network daemons.
If I comment the connect to 110 then it will start and hang then eventually timeout: stunnel.service: Failed with result 'timeout'.
Try uncommenting the "connect" line, then commenting out the "exec" and "execargs" lines; see if this helps. As it is, you're telling stunnel "listen on port 995, then connect to port 110 and also run a program"; that's three things, and it wants you to tell it exactly two.
It's a different question why the "exec" one doesn't work though... In the current configuration, with the "connect" line commented out and the "exec" and "execargs" one uncommented, when you connect to port 995, can you see (with "pstree -l" or "ps awwfux" or something like that) stunnel starting a gnu-pop3d process? Does the gnu-pop3d process log something somewhere?
G'luck, Peter
Peter,
Thank you for your reply. Commenting out the exec and execargs does dispense with the "requires two endpoints" fault. The programs still times out, however with the program and systemctl exiting.
Stephen
On Thu, 2016-08-18 at 01:04 +0300, Peter Pentchev wrote:
On Wed, Aug 17, 2016 at 04:37:12PM -0400, SP wrote:
Summary of problem (configuration and log details below): I am attempting to configure Stunnel to run a pop3s service on our server so that users can retrieve email securely. Stunnel is started as a systemctl service. If I include both the following in the stunnel.conf:
accept = mail.myserver.net:995 connect = localhost:110
then systemctl will exit immediately with: Service [pop3s]: Each service must define two endpoints stunnel.service: Control process exited, code=exited status=1 Failed to start SSL tunnel for network daemons.
If I comment the connect to 110 then it will start and hang then eventually timeout: stunnel.service: Failed with result 'timeout'.
Try uncommenting the "connect" line, then commenting out the "exec" and "execargs" lines; see if this helps. As it is, you're telling stunnel "listen on port 995, then connect to port 110 and also run a program"; that's three things, and it wants you to tell it exactly two.
It's a different question why the "exec" one doesn't work though... In the current configuration, with the "connect" line commented out and the "exec" and "execargs" one uncommented, when you connect to port 995, can you see (with "pstree -l" or "ps awwfux" or something like that) stunnel starting a gnu-pop3d process? Does the gnu-pop3d process log something somewhere?
G'luck, Peter
On Wed, Aug 17, 2016 at 07:29:23PM -0400, SP wrote:
On Thu, 2016-08-18 at 01:04 +0300, Peter Pentchev wrote:
On Wed, Aug 17, 2016 at 04:37:12PM -0400, SP wrote:
Summary of problem (configuration and log details below): I am attempting to configure Stunnel to run a pop3s service on our server so that users can retrieve email securely. Stunnel is started as a systemctl service. If I include both the following in the stunnel.conf:
accept = mail.myserver.net:995 connect = localhost:110
then systemctl will exit immediately with: Service [pop3s]: Each service must define two endpoints stunnel.service: Control process exited, code=exited status=1 Failed to start SSL tunnel for network daemons.
If I comment the connect to 110 then it will start and hang then eventually timeout: stunnel.service: Failed with result 'timeout'.
Try uncommenting the "connect" line, then commenting out the "exec" and "execargs" lines; see if this helps. As it is, you're telling stunnel "listen on port 995, then connect to port 110 and also run a program"; that's three things, and it wants you to tell it exactly two.
It's a different question why the "exec" one doesn't work though... In the current configuration, with the "connect" line commented out and the "exec" and "execargs" one uncommented, when you connect to port 995, can you see (with "pstree -l" or "ps awwfux" or something like that) stunnel starting a gnu-pop3d process? Does the gnu-pop3d process log something somewhere?
Peter,
Thank you for your reply. Commenting out the exec and execargs does dispense with the "requires two endpoints" fault. The programs still times out, however with the program and systemctl exiting.
OK, so does the stunnel log show that it is accepting your connection? Does the stunnel log show that it is connecting to port 110? Does the log of the program that you have listening on port 110 show that it is accepting stunnel's connection to it?
G'luck, Peter
Peter,
I see from the archives that someone had a similar problem five years ago - but I do not see a resolution. Do you recall if a solution was found then? https://www.stunnel.org/pipermail/stunnel-users/2011-August/003185.html
Stephen ---------- Peter,
Apologies for not including the log info earlier. No, the stunnel log only show that it is binding the service pop3s to the static ip address of the server on port 995. It does not connect to port 110. Excuse my naivety - but should the pop3 service (Gnu-pop3d) be running on 110 at the same time as stunnel as it is not being called in the stunnel.conf exec line? I have tried it either way and the result is the same.
Here is the message log which is slightly more verbose than the stunnel log:
Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: stunnel 5.35 on x86_64-unknown-linux-gnu platform Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Compiled/running with OpenSSL 1.0.2h 3 May 2016 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[cron]: Cron thread initialized Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: errno: (*__errno_location ()) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: UTF-8 byte order mark not detected Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: FIPS mode disabled Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Compression enabled: 1 method(s) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Snagged 64 random bytes from /dev/urandom Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: PRNG seeded successfully Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Initializing service [pop3s] Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Private key check succeeded Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: DH initialization Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Could not load DH parameters from /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Using dynamic DH parameters Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: ECDH initialization Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: ECDH initialized with curve prime256v1 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Configuration successful Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Listening file descriptor created (FD=7) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Option SO_REUSEADDR set on accept socket Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Service [pop3s] (FD=7) bound to 60.59.114.106:995 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[cron]: Executing cron jobs Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.0.2h 3 May 2016 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[cron]: Updating DH parameters Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Created pid file /usr/local/var/lib/stunnel/var/run/stunnel.pid Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf Aug 18 11:40:30 oracle stunnel: LOG5[ui]: UTF-8 byte order mark not detected Aug 18 11:40:30 oracle stunnel: LOG5[ui]: FIPS mode disabled Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Compression enabled: 1 method(s) Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Initializing service [pop3s] Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Using dynamic DH parameters Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Configuration successful Aug 18 11:40:30 oracle stunnel: LOG6[cron]: Executing cron jobs Aug 18 11:40:30 oracle stunnel: LOG5[cron]: Updating DH parameters Aug 18 11:40:39 oracle stunnel: LOG5[cron]: DH parameters updated Aug 18 11:40:39 oracle stunnel: 2016.08.18 11:40:39 LOG5[cron]: DH parameters updated Aug 18 11:40:39 oracle stunnel: 2016.08.18 11:40:39 LOG6[cron]: Cron jobs completed in 9 seconds Aug 18 11:40:39 oracle stunnel: 2016.08.18 11:40:39 LOG7[cron]: Waiting 86391 seconds Aug 18 11:40:39 oracle stunnel: LOG6[cron]: Cron jobs completed in 9 seconds Aug 18 11:42:00 oracle systemd: stunnel.service: Start operation timed out. Terminating. Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Found 1 ready file descriptor(s) Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: FD=4 events=0x2001 revents=0x1 Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: FD=7 events=0x2001 revents=0x0 Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Dispatching signals from the signal pipe Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Processing SIGNAL_TERMINATE Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG5[ui]: Terminated Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Closing service [pop3s] Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Service [pop3s] closed (FD=7) Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Service [pop3s] closed Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: removing pid file /usr/local/var/lib/stunnel/var/run/stunnel.pid Aug 18 11:42:00 oracle audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=stunnel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Aug 18 11:42:00 oracle systemd: Failed to start SSL tunnel for network daemons. Aug 18 11:42:00 oracle systemd: stunnel.service: Unit entered failed state. Aug 18 11:42:00 oracle systemd: stunnel.service: Failed with result 'timeout'. Aug 18 11:42:00 oracle stunnel: LOG5[ui]: Terminated
On Thu, 2016-08-18 at 11:34 +0300, Peter Pentchev wrote:
On Wed, Aug 17, 2016 at 07:29:23PM -0400, SP wrote:
On Thu, 2016-08-18 at 01:04 +0300, Peter Pentchev wrote:
On Wed, Aug 17, 2016 at 04:37:12PM -0400, SP wrote:
Summary of problem (configuration and log details below): I am attempting to configure Stunnel to run a pop3s service on our server so that users can retrieve email securely. Stunnel is started as a systemctl service. If I include both the following in the stunnel.conf:
accept = mail.myserver.net:995 connect = localhost:110
then systemctl will exit immediately with: Service [pop3s]: Each service must define two endpoints stunnel.service: Control process exited, code=exited status=1 Failed to start SSL tunnel for network daemons.
If I comment the connect to 110 then it will start and hang then eventually timeout: stunnel.service: Failed with result 'timeout'.
Try uncommenting the "connect" line, then commenting out the "exec" and "execargs" lines; see if this helps. As it is, you're telling stunnel "listen on port 995, then connect to port 110 and also run a program"; that's three things, and it wants you to tell it exactly two.
It's a different question why the "exec" one doesn't work though... In the current configuration, with the "connect" line commented out and the "exec" and "execargs" one uncommented, when you connect to port 995, can you see (with "pstree -l" or "ps awwfux" or something like that) stunnel starting a gnu-pop3d process? Does the gnu-pop3d process log something somewhere?
Peter,
Thank you for your reply. Commenting out the exec and execargs does dispense with the "requires two endpoints" fault. The programs still times out, however with the program and systemctl exiting.
OK, so does the stunnel log show that it is accepting your connection? Does the stunnel log show that it is connecting to port 110? Does the log of the program that you have listening on port 110 show that it is accepting stunnel's connection to it?
G'luck, Peter
Finally, I have stunnel working in daemon mode.
I first managed to get it running as inetd but still could not run it as daemon until I realized that foreground was enabled in the config. After commenting that out it runs as a daemon called by systemctl.
The main steps I took to remedy the problem were:
1. Comment out exec and execargs as you suggested. (Thank you.)
2. Add the missing DH parameters to the pem file by running
dd if=/dev/urandom count=2 | openssl dhparam -rand - 512
then appending the result to the end of the pem.
3. Commenting out "transparent"
4. commenting out "foreground" so it runs in the background as a daemon
Here is my working stunnel.conf: --------------------------
setuid = nobody setgid = nobody
pid = /usr/local/var/lib/stunnel/var/run/stunnel.pid
;foreground = yes ;debug = info debug = 7 sslVersion = TLSv1.2 output = /usr/local/var/lib/stunnel/var/log/stunnel.log ;ciphers = HIGH:MEDIUM:+DH:!SSLv2:!aNULL:+SHA256:+SHA1:+MD5 ciphers = HIGH:+3DES:+DH:!aNULL:!SSLv2
RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
delay = no fips = no compression = deflate client = no
[pop3s] accept = mail.myserver.net:995 connect = 110 cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem
On Thu, 2016-08-18 at 19:05 -0400, SP wrote:
Peter,
I see from the archives that someone had a similar problem five years ago - but I do not see a resolution. Do you recall if a solution was found then? https://www.stunnel.org/pipermail/stunnel-users/2011-August/003185.ht ml
Stephen
Peter,
Apologies for not including the log info earlier. No, the stunnel log only show that it is binding the service pop3s to the static ip address of the server on port 995. It does not connect to port 110. Excuse my naivety - but should the pop3 service (Gnu-pop3d) be running on 110 at the same time as stunnel as it is not being called in the stunnel.conf exec line? I have tried it either way and the result is the same.
Here is the message log which is slightly more verbose than the stunnel log:
Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: stunnel 5.35 on x86_64-unknown-linux-gnu platform Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Compiled/running with OpenSSL 1.0.2h 3 May 2016 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[cron]: Cron thread initialized Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: errno: (*__errno_location ()) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: UTF-8 byte order mark not detected Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: FIPS mode disabled Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Compression enabled: 1 method(s) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Snagged 64 random bytes from /dev/urandom Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: PRNG seeded successfully Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Initializing service [pop3s] Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Private key check succeeded Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: DH initialization Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Could not load DH parameters from /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[ui]: Using dynamic DH parameters Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: ECDH initialization Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: ECDH initialized with curve prime256v1 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[ui]: Configuration successful Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Listening file descriptor created (FD=7) Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Option SO_REUSEADDR set on accept socket Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Service [pop3s] (FD=7) bound to 60.59.114.106:995 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG6[cron]: Executing cron jobs Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.0.2h 3 May 2016 Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG5[cron]: Updating DH parameters Aug 18 11:40:30 oracle stunnel: 2016.08.18 11:40:30 LOG7[ui]: Created pid file /usr/local/var/lib/stunnel/var/run/stunnel.pid Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf Aug 18 11:40:30 oracle stunnel: LOG5[ui]: UTF-8 byte order mark not detected Aug 18 11:40:30 oracle stunnel: LOG5[ui]: FIPS mode disabled Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Compression enabled: 1 method(s) Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Initializing service [pop3s] Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem Aug 18 11:40:30 oracle stunnel: LOG6[ui]: Using dynamic DH parameters Aug 18 11:40:30 oracle stunnel: LOG5[ui]: Configuration successful Aug 18 11:40:30 oracle stunnel: LOG6[cron]: Executing cron jobs Aug 18 11:40:30 oracle stunnel: LOG5[cron]: Updating DH parameters Aug 18 11:40:39 oracle stunnel: LOG5[cron]: DH parameters updated Aug 18 11:40:39 oracle stunnel: 2016.08.18 11:40:39 LOG5[cron]: DH parameters updated Aug 18 11:40:39 oracle stunnel: 2016.08.18 11:40:39 LOG6[cron]: Cron jobs completed in 9 seconds Aug 18 11:40:39 oracle stunnel: 2016.08.18 11:40:39 LOG7[cron]: Waiting 86391 seconds Aug 18 11:40:39 oracle stunnel: LOG6[cron]: Cron jobs completed in 9 seconds Aug 18 11:42:00 oracle systemd: stunnel.service: Start operation timed out. Terminating. Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Found 1 ready file descriptor(s) Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: FD=4 events=0x2001 revents=0x1 Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: FD=7 events=0x2001 revents=0x0 Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Dispatching signals from the signal pipe Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Processing SIGNAL_TERMINATE Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG5[ui]: Terminated Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Closing service [pop3s] Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Service [pop3s] closed (FD=7) Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: Service [pop3s] closed Aug 18 11:42:00 oracle stunnel: 2016.08.18 11:42:00 LOG7[ui]: removing pid file /usr/local/var/lib/stunnel/var/run/stunnel.pid Aug 18 11:42:00 oracle audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=stunnel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Aug 18 11:42:00 oracle systemd: Failed to start SSL tunnel for network daemons. Aug 18 11:42:00 oracle systemd: stunnel.service: Unit entered failed state. Aug 18 11:42:00 oracle systemd: stunnel.service: Failed with result 'timeout'. Aug 18 11:42:00 oracle stunnel: LOG5[ui]: Terminated
On Thu, 2016-08-18 at 11:34 +0300, Peter Pentchev wrote:
On Wed, Aug 17, 2016 at 07:29:23PM -0400, SP wrote:
On Thu, 2016-08-18 at 01:04 +0300, Peter Pentchev wrote:
On Wed, Aug 17, 2016 at 04:37:12PM -0400, SP wrote:
Summary of problem (configuration and log details below): I am attempting to configure Stunnel to run a pop3s service on our server so that users can retrieve email securely. Stunnel is started as a systemctl service. If I include both the following in the stunnel.conf:
accept = mail.myserver.net:995 connect = localhost:110
then systemctl will exit immediately with: Service [pop3s]: Each service must define two endpoints stunnel.service: Control process exited, code=exited status=1 Failed to start SSL tunnel for network daemons.
If I comment the connect to 110 then it will start and hang then eventually timeout: stunnel.service: Failed with result 'timeout'.
Try uncommenting the "connect" line, then commenting out the "exec" and "execargs" lines; see if this helps. As it is, you're telling stunnel "listen on port 995, then connect to port 110 and also run a program"; that's three things, and it wants you to tell it exactly two.
It's a different question why the "exec" one doesn't work though... In the current configuration, with the "connect" line commented out and the "exec" and "execargs" one uncommented, when you connect to port 995, can you see (with "pstree -l" or "ps awwfux" or something like that) stunnel starting a gnu-pop3d process? Does the gnu-pop3d process log something somewhere?
Peter,
Thank you for your reply. Commenting out the exec and execargs does dispense with the "requires two endpoints" fault. The programs still times out, however with the program and systemctl exiting.
OK, so does the stunnel log show that it is accepting your connection? Does the stunnel log show that it is connecting to port 110? Does the log of the program that you have listening on port 110 show that it is accepting stunnel's connection to it?
G'luck, Peter
On Thu, Aug 18, 2016 at 10:36:20PM -0400, SP wrote:
Finally, I have stunnel working in daemon mode.
I first managed to get it running as inetd but still could not run it as daemon until I realized that foreground was enabled in the config.
Yeah, when I saw the messages from systemd about the program not having exited, I was going to ask you about that... but you figured it out on your own. Sorry I didn't notice it at first - or maybe I did notice it and I assumed that you'd told systemd that this was a Type=simple service.
Anyway, nice to know it's working for you now; don't hesitate to write to the list with any further problems!
G'luck, Peter
-
Peter Pentchev -
SP