[stunnel-users] Service [SMTP Outgoing] needs authentication to prevent MITM attacks

Eric Poythress epoythress at airhygiene.com
Wed Sep 2 05:28:19 CEST 2015 

My stunnel.conf looks like this:

	# Stunnel configuration file for Office 365 SMTP
	# Eric Poythress
	# GLOBAL OPTIONS
	client = yes
	output = stunnel-log.txt
	debug=7
	taskbar=yes

	# SERVICE-LEVEL OPTIONS
	[SMTP Outgoing]
	client = yes
	protocol = smtp
	accept = 25
	connect = smtp.office365.com:587
	verify = 2
	CAfile = ca-certs.pem
	checkHost = smtp.office365.com


A larger sample of my logs looks like this:

	2015.09.01 22:15:15 LOG5[1]: s_connect: connected 132.245.70.98:587
	2015.09.01 22:15:15 LOG5[1]: Service [SMTP Outgoing] connected remote server from 192.168.100.41:1565
	2015.09.01 22:15:15 LOG7[1]: Remote socket (FD=468) initialized
	2015.09.01 22:15:15 LOG7[1]:  <- 220 SN1PR15CA0037.outlook.office365.com Microsoft ESMTP MAIL Service ready at Wed, 2 Sep 2015 03:13:50 +0000
	2015.09.01 22:15:15 LOG7[1]:  -> 220 SN1PR15CA0037.outlook.office365.com Microsoft ESMTP MAIL Service ready at Wed, 2 Sep 2015 03:13:50 +0000
	2015.09.01 22:15:15 LOG7[1]:  -> EHLO localhost
	2015.09.01 22:15:15 LOG7[1]:  <- 250-SN1PR15CA0037.outlook.office365.com Hello [70.167.26.246]
	2015.09.01 22:15:15 LOG7[1]:  <- 250-SIZE 157286400
	2015.09.01 22:15:15 LOG7[1]:  <- 250-PIPELINING
	2015.09.01 22:15:15 LOG7[1]:  <- 250-DSN
	2015.09.01 22:15:15 LOG7[1]:  <- 250-ENHANCEDSTATUSCODES
	2015.09.01 22:15:15 LOG7[1]:  <- 250-STARTTLS
	2015.09.01 22:15:15 LOG7[1]:  <- 250-8BITMIME
	2015.09.01 22:15:15 LOG7[1]:  <- 250-BINARYMIME
	2015.09.01 22:15:15 LOG7[1]:  <- 250 CHUNKING
	2015.09.01 22:15:15 LOG7[1]:  -> STARTTLS
	2015.09.01 22:15:16 LOG7[1]:  <- 220 2.0.0 SMTP server ready
	2015.09.01 22:15:16 LOG6[1]: SNI: sending servername: smtp.office365.com
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): before/connect initialization
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client hello A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server hello A
	2015.09.01 22:15:16 LOG7[1]: Verification started at depth=2: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
	2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification succeeded
	2015.09.01 22:15:16 LOG6[1]: Certificate accepted at depth=2: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
	2015.09.01 22:15:16 LOG7[1]: Verification started at depth=1: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA1
	2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification succeeded
	2015.09.01 22:15:16 LOG6[1]: Certificate accepted at depth=1: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA1
	2015.09.01 22:15:16 LOG7[1]: Verification started at depth=0: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=outlook.com
	2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification succeeded
	2015.09.01 22:15:16 LOG6[1]: CERT: Host name "smtp.office365.com" matched with "*.office365.com"
	2015.09.01 22:15:16 LOG5[1]: Certificate accepted at depth=0: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=outlook.com
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server certificate A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server key exchange A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server certificate request A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server done A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client certificate A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client key exchange A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write change cipher spec A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write finished A
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 flush data
	2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read finished A
	2015.09.01 22:15:16 LOG7[1]:      2 client connect(s) requested
	2015.09.01 22:15:16 LOG7[1]:      2 client connect(s) succeeded
	2015.09.01 22:15:16 LOG7[1]:      0 client renegotiation(s) requested
	2015.09.01 22:15:16 LOG7[1]:      0 session reuse(s)
	2015.09.01 22:15:16 LOG6[1]: SSL connected: new session negotiated
	2015.09.01 22:15:16 LOG7[1]: Deallocating application specific data for addr index
	2015.09.01 22:15:16 LOG6[1]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-SHA384 (256-bit encryption)
	2015.09.01 22:15:16 LOG7[1]: Compression: null, expansion: null
	2015.09.01 22:15:21 LOG6[1]: Read socket closed (readsocket)
	2015.09.01 22:15:21 LOG7[1]: Sending close_notify alert
	2015.09.01 22:15:21 LOG7[1]: SSL alert (write): warning: close notify
	2015.09.01 22:15:21 LOG6[1]: SSL_shutdown successfully sent close_notify alert
	2015.09.01 22:15:21 LOG6[1]: SSL socket closed (SSL_read)
	2015.09.01 22:15:21 LOG7[1]: Sent socket write shutdown
	2015.09.01 22:15:21 LOG5[1]: Connection closed: 71 byte(s) sent to SSL, 237 byte(s) sent to socket
	2015.09.01 22:15:21 LOG7[1]: Remote socket (FD=468) closed
	2015.09.01 22:15:21 LOG7[1]: Local socket (FD=440) closed
	2015.09.01 22:15:21 LOG7[1]: Service [SMTP Outgoing] finished (0 left)

-Eric

More information about the stunnel-users mailing list