[stunnel-users] Receive from secure servers

Info ITsatWork info at itsatwork.nl
Sat Mar 21 15:22:52 CET 2015


Hello,

A company which we work with wants to send secure (TLS) mails to our
server. I think stunnel can do the trick for me, as our own server
(Scalix) doesn't support TLS for itself. Now I set up stunnel and it
looks like its working, except it's not receiving secured mails. I can
still receive normal mails, so somehow it is not working.

I used the sample config and filled in the things I thought I needed.
My config:


; Sample stunnel configuration file for Unix by Michal Trojnara
2002-2015
; Some options used here may be inadequate for your particular
configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available
options

;
**************************************************************************
; * Global options
*
;
**************************************************************************

; A copy of some devices and system files is needed within the chroot
jail
; Chroot conflicts with configuration file reload and many other
features
; Remember also to update the logrotate configuration.
;chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
;setuid = nobody
;setgid = nogroup

; PID file is created inside the chroot jail (if enabled)
;pid = /usr/local/var/run/stunnel.pid

; Debugging stuff (may be useful for troubleshooting)
debug = 7
output = stunnel.log

;
**************************************************************************
; * Service defaults may also be specified in individual service
sections  *
;
**************************************************************************

client = no
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
;sslVersion = all
; Enable support for the insecure SSLv2 protocol
;options = NO_SSLv2
; Enable support for the insecure SSLv3 protocol
;options = NO_SSLv3
; Workaround for Eudora bug
; options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance
degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

;
**************************************************************************
; * Service definitions (remove all services for inetd mode)
*
;
**************************************************************************

; Example SSL server mode services

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

[ssmtp]
accept  = 192.168.1.102:25
connect = 192.168.1.102:26
protocol = smtp

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465

; Example SSL front-end to a web server

;[https]
;accept  = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; vim:ft=dosini



This is what I see in the logfiles for the mails I don't receive:

2015.03.21 14:56:46 LOG7[main]: Service [ssmtp] accepted (FD=12) from
207.46.163.207:8478
2015.03.21 14:56:46 LOG7[2]:  <- EHLO
na01-by2-obe.outbound.protection.outlook.com
2015.03.21 14:56:46 LOG7[2]:  -> 250-mailserver.mydomain.nl
2015.03.21 14:56:46 LOG7[2]:  -> 250 STARTTLS
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 read client key
exchange A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 read finished A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 write change
cipher spec A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 write finished A
2015.03.21 14:56:46 LOG7[1]: SSL state (accept): SSLv3 flush data
2015.03.21 14:56:46 LOG7[1]:    1 items in the session cache
2015.03.21 14:56:46 LOG7[1]:    0 client connects (SSL_connect())
2015.03.21 14:56:46 LOG7[1]:    0 client connects that finished  
2015.03.21 14:56:46 LOG7[1]:    0 client renegotiations requested
2015.03.21 14:56:46 LOG7[1]:    1 server connects (SSL_accept()) 
2015.03.21 14:56:46 LOG7[1]:    1 server connects that finished  
2015.03.21 14:56:46 LOG7[1]:    0 server renegotiations requested
2015.03.21 14:56:46 LOG7[1]:    0 session cache hits
2015.03.21 14:56:46 LOG7[1]:    0 external session cache hits
2015.03.21 14:56:46 LOG7[1]:    0 session cache misses
2015.03.21 14:56:46 LOG7[1]:    0 session cache timeouts
2015.03.21 14:56:46 LOG6[1]: No peer certificate received
2015.03.21 14:56:46 LOG6[1]: SSL accepted: new session negotiated
2015.03.21 14:56:46 LOG6[1]: Negotiated TLSv1 ciphersuite AES256-SHA
(256-bit encryption)
2015.03.21 14:56:46 LOG7[1]: Compression: null, expansion: null
2015.03.21 14:56:46 LOG7[3]: Service [ssmtp] started
2015.03.21 14:56:46 LOG5[3]: Service [ssmtp] accepted connection from
207.46.163.207:8478
2015.03.21 14:56:46 LOG6[3]: s_connect: connecting 192.168.1.102:26
2015.03.21 14:56:46 LOG7[3]: s_connect: s_poll_wait 192.168.1.102:26:
waiting 10 seconds
2015.03.21 14:56:46 LOG5[3]: s_connect: connected 192.168.1.102:26
2015.03.21 14:56:46 LOG5[3]: Service [ssmtp] connected remote server
from 192.168.1.102:22148
2015.03.21 14:56:46 LOG7[3]: Remote socket (FD=13) initialized
2015.03.21 14:56:46 LOG6[1]: Read socket closed (readsocket)  
2015.03.21 14:56:46 LOG7[1]: Sending close_notify alert
2015.03.21 14:56:46 LOG7[1]: SSL alert (write): warning: close notify
2015.03.21 14:56:46 LOG6[1]: SSL_shutdown successfully sent close_notify
alert
2015.03.21 14:56:46 LOG7[2]:  <- STARTTLS
2015.03.21 14:56:46 LOG7[2]:  -> 220 Go ahead
2015.03.21 14:56:46 LOG7[2]: SSL state (accept): before/accept
initialization
2015.03.21 14:56:46 LOG7[3]: RFC 2487 detected
2015.03.21 14:56:46 LOG7[3]:  <- 220 mailserver.rsconsultancy.nl ESMTP
Scalix SMTP Relay 11.4.6.13676; Sat, 21 Mar 2015 14:56:46 +0100 (CET)
2015.03.21 14:56:46 LOG7[3]:  -> 220 mailserver.rsconsultancy.nl stunnel
for ESMTP Scalix SMTP Relay 11.4.6.13676; Sat, 21 Mar 2015 14:56:46
2015.03.21 14:56:46 LOG6[1]: SSL socket closed (SSL_read)
2015.03.21 14:56:46 LOG7[1]: Sent socket write shutdown  
2015.03.21 14:56:46 LOG5[1]: Connection closed: 52 byte(s) sent to SSL,
6 byte(s) sent to socket
2015.03.21 14:56:46 LOG7[1]: Remote socket (FD=9) closed
2015.03.21 14:56:46 LOG7[1]: Local socket (FD=3) closed 
2015.03.21 14:56:46 LOG7[1]: Service [ssmtp] finished (2 left)


Could anyone please tell me what I'm doing wrong?

Jeroen




More information about the stunnel-users mailing list