[stunnel-users] transparent = source, stunnel connect always times out
Robert Hardy
rhardy at webcon.ca
Thu May 5 23:11:46 CEST 2011
On Tue, 3 May 2011, Robert Hardy wrote:
> On Sat, 26 Mar 2011, Michal Trojnara wrote:
>>
>> Interesting. I can't see any obvious mistake in your configuration.
>>
>> With these type of problems "tcpdump", "iptables -L -v", and "dmesg" are
>> your friends.
>>
>> Best regards,
>> Michal Trojnara
>>
>
> I've tried several times to get stunnel to work as a transparent smtps
> proxy. I just tried again using stunnel 4.36 and as you suggested used
> tcpdump in several places, to attempt further debugging. It always just
> times out: both in the stunnel log file and my mail client times out too.
>
> There are no obvious messages indicating the problem in dmesg or any logs.
I think I understand now what is happening.
Based on this config fragment and the tcpdumps on my external NIC on my mail server:
[smtps]
accept = 66.51.123.229:465
connect = 216.194.67.26:25
transparent = source
stunnel is properly listening on 465, decrypting the traffic and then
forwarding the traffic to my mail server on port 25 as if it was coming from
the source address. That's great however my mail server seems to be replying
directly to the client directly from port 25, bypassing stunnel. Obviously
since the mail client is expecting SSL back and the communication to be from
port 465, that isn't going to work.
I suspect I need transparent = both, but the service definition/iptables
rules required are eluding me.
I tried
[smtps]
accept = 66.51.123.229:465
connect = 216.194.67.26:25
transparent = both
but it now complains Line 27: End of section smtps: Each service must define two endpoints
The docs on transparent = both is a single line which doesn't help much.
It isn't clear how you are supposed to merge the transparent=source and
transparent=destination service defintions to make a transparent=both
definition.
Can someone please provide an example for the correct service defintion for transparent = both for smtps?
If this won't fix my issue, other comments are very welcome.
I'm willing to pay cash for a workable solution to this problem.
Here is a tcpdump run on my mail server's external interface:
# tcpdump -i eth0 -x -X -nn -vvv -s 1500 \
( host fw1.pensivo.com and not port 22 and not port 993 and not port 80 \)
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
15:13:24.817739 IP (tos 0x0, ttl 118, id 26475, offset 0, flags [none], proto: TCP (6), length: 52) 142.46.198.130.56080 > 66.51.123.229.465: S, cksum 0x8a9d (correct), 2667918792:2667918792(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
0x0000: 4500 0034 676b 0000 7606 ca8f 8e2e c682 E..4gk..v.......
0x0010: 4233 7be5 db10 01d1 9f05 35c8 0000 0000 B3{.......5.....
0x0020: 8002 2000 8a9d 0000 0204 05b4 0103 0302 ................
0x0030: 0101 0402 ....
15:13:24.817844 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 52) 66.51.123.229.465 > 142.46.198.130.56080: S, cksum 0x12f0 (incorrect (-> 0xad93), 100515312:100515312(0) ack 2667918793 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 5>
0x0000: 4500 0034 0000 4000 4006 27fb 4233 7be5 E..4.. at .@.'.B3{.
0x0010: 8e2e c682 01d1 db10 05fd bdf0 9f05 35c9 ..............5.
0x0020: 8012 3908 12f0 0000 0204 05b4 0101 0402 ..9.............
0x0030: 0103 0305 ....
15:13:24.866234 IP (tos 0x0, ttl 118, id 26476, offset 0, flags [none], proto: TCP (6), length: 40) 142.46.198.130.56080 > 66.51.123.229.465: ., cksum 0xe742 (correct), 1:1(0) ack 1 win 16425
0x0000: 4500 0028 676c 0000 7606 ca9a 8e2e c682 E..(gl..v.......
0x0010: 4233 7be5 db10 01d1 9f05 35c9 05fd bdf1 B3{.......5.....
0x0020: 5010 4029 e742 0000 aaaa 0000 aaaa P.@).B........
15:13:24.866892 IP (tos 0x0, ttl 118, id 26477, offset 0, flags [none], proto: TCP (6), length: 241) 142.46.198.130.56080 > 66.51.123.229.465: P, cksum 0x105f (correct), 1:202(201) ack 1 win 16425
0x0000: 4500 00f1 676d 0000 7606 c9d0 8e2e c682 E...gm..v.......
0x0010: 4233 7be5 db10 01d1 9f05 35c9 05fd bdf1 B3{.......5.....
0x0020: 5018 4029 105f 0000 1603 0100 c401 0000 P.@)._..........
0x0030: c003 014d c2f6 d2dc 80e1 3e2e b135 560b ...M......>..5V.
0x0040: e7d3 6cfa af89 fa9e e27b fe9c f73a d78d ..l......{...:..
0x0050: f038 f720 ee04 e8a7 cfde 1f3b 2949 48f5 .8.........;)IH.
0x0060: 7b69 cf8d f67d 21b8 564a 4f6f 504c c4a5 {i...}!.VJOoPL..
0x0070: ca1a 6796 0048 00ff c00a c014 0088 0087 ..g..H..........
0x0080: 0038 c00f c005 0084 0035 0039 c007 c009 .8.......5.9....
0x0090: c011 c013 0045 0044 0033 0032 c00c c00e .....E.D.3.2....
0x00a0: c002 c004 0096 0041 0004 0005 002f c008 .......A...../..
0x00b0: c012 0016 0013 c00d c003 feff 000a 0100 ................
0x00c0: 002f 0000 0015 0013 0000 1073 6563 7572 ./.........secur
0x00d0: 652e 7765 6263 6f6e 2e63 6100 0a00 0800 e.webcon.ca.....
0x00e0: 0600 1700 1800 1900 0b00 0201 0000 2300 ..............#.
0x00f0: 00 .
15:13:24.866997 IP (tos 0x0, ttl 64, id 35230, offset 0, flags [DF], proto: TCP (6), length: 40) 66.51.123.229.465 > 142.46.198.130.56080: ., cksum 0x12e4 (incorrect (-> 0x24b9), 1:1(0) ack 202 win 490
0x0000: 4500 0028 899e 4000 4006 9e68 4233 7be5 E..(.. at .@..hB3{.
0x0010: 8e2e c682 01d1 db10 05fd bdf1 9f05 3692 ..............6.
0x0020: 5010 01ea 12e4 0000 P.......
15:13:24.871253 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xbb1a), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171455600 171455600,nop,wscale 5>
0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<.. at .@.....C.
0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j....
0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p...........
0x0030: 0a38 3470 0a38 3470 0103 0305 .84p.84p....
15:13:27.877522 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb82a), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171456352 171455600,nop,wscale 5>
0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<.. at .@.....C.
0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j....
0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p...........
0x0030: 0a38 3760 0a38 3470 0103 0305 .87`.84p....
15:13:28.677559 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb762), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171456552 171455600,nop,wscale 5>
0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<.. at .@.....C.
0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j....
0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p...........
0x0030: 0a38 3828 0a38 3470 0103 0305 .88(.84p....
15:13:33.894165 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb24a), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171457856 171455600,nop,wscale 5>
0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<.. at .@.....C.
0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j....
0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p...........
0x0030: 0a38 3d40 0a38 3470 0103 0305 [email protected]....
15:13:35.078215 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 216.194.67.26.25 > 142.46.198.130.56080: S, cksum 0x70bc (incorrect (-> 0xb122), 104463978:104463978(0) ack 93094159 win 14480 <mss 1460,sackOK,timestamp 171458152 171455600,nop,wscale 5>
0x0000: 4500 003c 0000 4000 4006 ca2e d8c2 431a E..<.. at .@.....C.
0x0010: 8e2e c682 0019 db10 0639 fe6a 058c 810f .........9.j....
0x0020: a012 3890 70bc 0000 0204 05b4 0402 080a ..8.p...........
0x0030: 0a38 3e68 0a38 3470 0103 0305 .8>h.84p....
Regards,
Robert Hardy
More information about the stunnel-users
mailing list