Hi everybody,
I'm absolutely new in stunnel. I came around because of a post in the google forums about making Symantec System Recovery mail through smtp.gmail.com. Symantec is not capable of doing SSL/TLS so I need a solution like stunnel.
But I've an issue: it doesn't seem to work :)
I installed the program ok, and configured in the following way:
cert=stunnel.pem
socket = l:TCP_NODELAY=1
socket= r:TCP_NODELAY=1
[gmail-smtp]
client=yes
accept:127.0.0.1:25
connect= smtp.gamil.com:465
EOF
The server is listening on port 127.0.0.1:25 but when I do a telnet to that port gives an error and doesn't seem to tunnel me to smtp.gmail.com. On the other hand, I configured outlook to use that tunnel but gives an error stating it can reach the smtp server.
What am I doing wrong? Should I change the TLS version?
Best regards and thanks in advance.
On Tue, Nov 19, 2013 at 06:51:37PM +0100, edu.bit.es@gmail.com wrote:
Hi everybody,
I'm absolutely new in stunnel. I came around because of a post in the google forums about making Symantec System Recovery mail through smtp.gmail.com. Symantec is not capable of doing SSL/TLS so I need a solution like stunnel.
But I've an issue: it doesn't seem to work :)
I installed the program ok, and configured in the following way:
cert=stunnel.pem socket = l:TCP_NODELAY=1 socket= r:TCP_NODELAY=1
[gmail-smtp] client=yes accept:127.0.0.1:25 connect= smtp.gamil.com:465
Did you copy and paste these lines directly from your configuration file, or did you try to reproduce them by hand or by memory? If you copied and pasted them, then I believe that the last line should say "gmail" instead of "gamil" :) And if you tried to reproduce them by hand, then please copy and paste your exact configuration for us to see.
G'luck, Peter
On Wed, Nov 20, 2013 at 12:07:58AM +0200, Peter Pentchev wrote:
On Tue, Nov 19, 2013 at 06:51:37PM +0100, edu.bit.es@gmail.com wrote:
Hi everybody,
I'm absolutely new in stunnel. I came around because of a post in the google forums about making Symantec System Recovery mail through smtp.gmail.com. Symantec is not capable of doing SSL/TLS so I need a solution like stunnel.
But I've an issue: it doesn't seem to work :)
I installed the program ok, and configured in the following way:
cert=stunnel.pem socket = l:TCP_NODELAY=1 socket= r:TCP_NODELAY=1
[gmail-smtp] client=yes accept:127.0.0.1:25 connect= smtp.gamil.com:465
Did you copy and paste these lines directly from your configuration file, or did you try to reproduce them by hand or by memory? If you copied and pasted them, then I believe that the last line should say "gmail" instead of "gamil" :)
Oh yeah, and the "accept" line really should say "accept=" instead of "accept:", so... can you please copy and paste the exact configuration that you used? :)
And if you tried to reproduce them by hand, then please copy and paste your exact configuration for us to see.
G'luck, Peter
Hi and thanks for your response.
Attached is the log file (stunnel.txt) and the config file (stunnelconf.txt).
Thanks a lot.
-----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Tuesday, November 19, 2013 11:22 PM To: edu.bit.es@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] setup stunnel problem
On Wed, Nov 20, 2013 at 12:07:58AM +0200, Peter Pentchev wrote:
On Tue, Nov 19, 2013 at 06:51:37PM +0100, edu.bit.es@gmail.com wrote:
Hi everybody,
I'm absolutely new in stunnel. I came around because of a post in the google forums about making Symantec System Recovery mail through
smtp.gmail.com.
Symantec is not capable of doing SSL/TLS so I need a solution like
stunnel.
But I've an issue: it doesn't seem to work :)
I installed the program ok, and configured in the following way:
cert=stunnel.pem socket = l:TCP_NODELAY=1 socket= r:TCP_NODELAY=1
[gmail-smtp] client=yes accept:127.0.0.1:25 connect= smtp.gamil.com:465
Did you copy and paste these lines directly from your configuration file, or did you try to reproduce them by hand or by memory? If you copied and pasted them, then I believe that the last line should say "gmail" instead of "gamil" :)
Oh yeah, and the "accept" line really should say "accept=" instead of "accept:", so... can you please copy and paste the exact configuration that you used? :)
And if you tried to reproduce them by hand, then please copy and paste your exact configuration for us to see.
G'luck, Peter
On Wed, Nov 20, 2013 at 11:52:05AM +0100, edu.bit.es@gmail.com wrote:
Hi and thanks for your response.
Attached is the log file (stunnel.txt) and the config file (stunnelconf.txt).
Thanks a lot.
Thanks for showing us the logs and for your patience :)
OK, so here's what stunnel has to say about the actual connection: [snip]
2013.11.20 05:48:59 LOG5[14516:16268]: Service [gmail-smtp] connected remote server from 192.168.1.10:29290 2013.11.20 05:48:59 LOG7[14516:16268]: Remote socket (FD=472) initialized 2013.11.20 05:48:59 LOG7[14516:16268]: SNI: sending servername: smtp.gmail.com 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): before/connect initialization 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): SSLv2/v3 write client hello A 2013.11.20 05:48:59 LOG3[14516:16268]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2013.11.20 05:48:59 LOG5[14516:16268]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
So it says that it has connected to smtp.gmail.com on the port that you specified and that the Gmail SMTP server did not speak proper SSL to it. Now let's see if we can figure out why the Gmail SMTP server doesn't want to speak SSL to us:
[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:587
OK, so this says several things: - listen on port 25 of our local machine - accept cleartext traffic on port 25 of our local machine - once a client connects, create a new connection to port 587 of smtp.gmail.com - speak SSL to smtp.gmail.com:587 - that is, expect smtp.gmail.com to speak SSL to us if we connect to its port 587
Well, let's see if it does:
[roam@straylight ~]$ telnet smtp.gmail.com 587 Trying 74.125.136.108... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP i1sm58627991eeg.0 - gsmtp
No, it doesn't. Port 587 is usually used for the "mail submission" service which speaks plain simplified SMTP - plain as in "not encrypted" as in "not SSL". You have configured Stunnel to (as it should) speak SSL to the remote side, so you ought to tell it to either: - connect to a service that starts speaking SSL straight away, or - tell it to expect the remote service to not speak SSL straight away and tell it how to negotiate an SSL connection with it
In your first message you mentioned port 465; it is usually used for the "secure SMTP" service, which *does* start speaking SSL straight away. This is actually the first option: so what happens (show us the logfiles if it doesn't work) if you put 465 instead of 587 in your Stunnel configuration for the gmail-smtp service?
Another option would be to add another line to the gmail-smtp service: protocol = smtp This tells Stunnel that the remote is actually an SMTP (or SMTP-like) server that will understand a "STARTTLS" command and, hopefully, respond with a "2xx Ready to start a TLS conversation with you" message. This might fix the problem, too - it is option 2 from the above (negotiate an SSL connection with a non-SSL service).
I'd try using port 465 first; if it doesn't work, show us the logs again.
G'luck, Peter
Thanks a lot Peter,
Changed the port to 465 but not changed the option "protocol=smtp" because there was a timeout.
Stunnel config file--> stunnelconf.txt
Log file --> stunnel.txt
Regards.
-----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Wednesday, November 20, 2013 12:26 PM To: edu.bit.es@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] setup stunnel problem
On Wed, Nov 20, 2013 at 11:52:05AM +0100, edu.bit.es@gmail.com wrote:
Hi and thanks for your response.
Attached is the log file (stunnel.txt) and the config file (stunnelconf.txt).
Thanks a lot.
Thanks for showing us the logs and for your patience :)
OK, so here's what stunnel has to say about the actual connection: [snip]
2013.11.20 05:48:59 LOG5[14516:16268]: Service [gmail-smtp] connected remote server from 192.168.1.10:29290 2013.11.20 05:48:59 LOG7[14516:16268]: Remote socket (FD=472) initialized 2013.11.20 05:48:59 LOG7[14516:16268]: SNI: sending servername: smtp.gmail.com 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): before/connect initialization 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): SSLv2/v3 write client hello A 2013.11.20 05:48:59 LOG3[14516:16268]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2013.11.20 05:48:59 LOG5[14516:16268]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
So it says that it has connected to smtp.gmail.com on the port that you specified and that the Gmail SMTP server did not speak proper SSL to it. Now let's see if we can figure out why the Gmail SMTP server doesn't want to speak SSL to us:
[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:587
OK, so this says several things: - listen on port 25 of our local machine - accept cleartext traffic on port 25 of our local machine - once a client connects, create a new connection to port 587 of smtp.gmail.com - speak SSL to smtp.gmail.com:587 - that is, expect smtp.gmail.com to speak SSL to us if we connect to its port 587
Well, let's see if it does:
[roam@straylight ~]$ telnet smtp.gmail.com 587 Trying 74.125.136.108... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP i1sm58627991eeg.0 - gsmtp
No, it doesn't. Port 587 is usually used for the "mail submission" service which speaks plain simplified SMTP - plain as in "not encrypted" as in "not SSL". You have configured Stunnel to (as it should) speak SSL to the remote side, so you ought to tell it to either: - connect to a service that starts speaking SSL straight away, or - tell it to expect the remote service to not speak SSL straight away and tell it how to negotiate an SSL connection with it
In your first message you mentioned port 465; it is usually used for the "secure SMTP" service, which *does* start speaking SSL straight away. This is actually the first option: so what happens (show us the logfiles if it doesn't work) if you put 465 instead of 587 in your Stunnel configuration for the gmail-smtp service?
Another option would be to add another line to the gmail-smtp service: protocol = smtp This tells Stunnel that the remote is actually an SMTP (or SMTP-like) server that will understand a "STARTTLS" command and, hopefully, respond with a "2xx Ready to start a TLS conversation with you" message. This might fix the problem, too - it is option 2 from the above (negotiate an SSL connection with a non-SSL service).
I'd try using port 465 first; if it doesn't work, show us the logs again.
G'luck, Peter
On Wed, Nov 20, 2013 at 01:12:43PM +0100, edu.bit.es@gmail.com wrote:
Thanks a lot Peter,
Changed the port to 465 but not changed the option "protocol=smtp" because there was a timeout.
Stunnel config file--> stunnelconf.txt
Log file --> stunnel.txt
Hm, now this log file does not show an Stunnel-related problem at all. It seems that Stunnel gets a client connection, connects to smtp.gmail.com, successfully negotiates an SSL session and in the next second reports that the client (the program connecting to Stunnel on your machine) closed the connection, so it closes the other side, too (all the SSL close notification and session shutdown messages).
IMHO, your Stunnel configuration is fine now; if you are seeing problems while using it with some program, it remains to be seen what the program is doing and why the program thinks that there are problems serious enough to close the connection very quickly. What program did you use to test this? Did it report some kind of error? Is there any way to ask it to show you its own log of the session with its own error reporting?
G'luck, Peter
Hi Peter,
Everything ok, sending smtp messages.
Thanks a lot for your advice.
If you ever come to Barcelona (Spain) I owe you a beer.
Best regards.
-----Original Message----- From: Peter Pentchev [mailto:roam@ringlet.net] Sent: Wednesday, November 20, 2013 12:26 PM To: edu.bit.es@gmail.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] setup stunnel problem
On Wed, Nov 20, 2013 at 11:52:05AM +0100, edu.bit.es@gmail.com wrote:
Hi and thanks for your response.
Attached is the log file (stunnel.txt) and the config file (stunnelconf.txt).
Thanks a lot.
Thanks for showing us the logs and for your patience :)
OK, so here's what stunnel has to say about the actual connection: [snip]
2013.11.20 05:48:59 LOG5[14516:16268]: Service [gmail-smtp] connected remote server from 192.168.1.10:29290 2013.11.20 05:48:59 LOG7[14516:16268]: Remote socket (FD=472) initialized 2013.11.20 05:48:59 LOG7[14516:16268]: SNI: sending servername: smtp.gmail.com 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): before/connect initialization 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): SSLv2/v3 write client hello A 2013.11.20 05:48:59 LOG3[14516:16268]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2013.11.20 05:48:59 LOG5[14516:16268]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
So it says that it has connected to smtp.gmail.com on the port that you specified and that the Gmail SMTP server did not speak proper SSL to it. Now let's see if we can figure out why the Gmail SMTP server doesn't want to speak SSL to us:
[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:587
OK, so this says several things: - listen on port 25 of our local machine - accept cleartext traffic on port 25 of our local machine - once a client connects, create a new connection to port 587 of smtp.gmail.com - speak SSL to smtp.gmail.com:587 - that is, expect smtp.gmail.com to speak SSL to us if we connect to its port 587
Well, let's see if it does:
[roam@straylight ~]$ telnet smtp.gmail.com 587 Trying 74.125.136.108... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP i1sm58627991eeg.0 - gsmtp
No, it doesn't. Port 587 is usually used for the "mail submission" service which speaks plain simplified SMTP - plain as in "not encrypted" as in "not SSL". You have configured Stunnel to (as it should) speak SSL to the remote side, so you ought to tell it to either: - connect to a service that starts speaking SSL straight away, or - tell it to expect the remote service to not speak SSL straight away and tell it how to negotiate an SSL connection with it
In your first message you mentioned port 465; it is usually used for the "secure SMTP" service, which *does* start speaking SSL straight away. This is actually the first option: so what happens (show us the logfiles if it doesn't work) if you put 465 instead of 587 in your Stunnel configuration for the gmail-smtp service?
Another option would be to add another line to the gmail-smtp service: protocol = smtp This tells Stunnel that the remote is actually an SMTP (or SMTP-like) server that will understand a "STARTTLS" command and, hopefully, respond with a "2xx Ready to start a TLS conversation with you" message. This might fix the problem, too - it is option 2 from the above (negotiate an SSL connection with a non-SSL service).
I'd try using port 465 first; if it doesn't work, show us the logs again.
G'luck, Peter
-
edu.bit.es@gmail.com -
Peter Pentchev