[stunnel-users] Creating tunnel to smtp.office365.com:587
Andrew Culver
aculver at uwo.ca
Thu Jan 19 22:03:54 CET 2017
Hi Malgorzata,
Thanks for your reply. It was not my intention to verify client
certificates. I misunderstood verifyCheck = yes to mean it would verify the
certificate of the server to which stunnel is connecting. I've removed this
from my config and also enabled debug logging as you suggested.
I did some more playing around and managed to get it working by defining
two services. The first service accepts TLS connections and connects to the
second service running on a different port which then connects to Office
365. I've been able to send emails through Office 365 by pointing my
Thunderbird at stunnel. Here's my config:
setuid = nobody
setgid = nogroup
pid = /usr/local/var/run/stunnel/stunnel.pid
debug = debug
output = /usr/local/var/log/stunnel/stunnel.log
[uwo2local]
accept = 50025
cert = /usr/local/etc/stunnel/stunnel.pem
connect = 52025
protocol = smtp
[local2o365]
client = yes
accept = 127.0.0.1:52025
connect = smtp.office365.com:587
CApath = /etc/ssl/certs
OCSPaia = yes
protocol = smtp
The one thing I'm wondering about is the checkHost option. Should I be
adding checkHost = smtp.office365.com to verify the certificate of
smtp.office365.com? Whenever I add this option, it tells me:
[!] /usr/local/etc/stunnel/stunnel.conf:87: "checkHost = smtp.office365.com":
Specified option name is not valid here
Thanks,
Andrew
*Andrew Culver*
System Administrator
Information Technology Services <https://www.uwo.ca/its>
University of Western Ontario <https://www.uwo.ca>
e: aculver at uwo.ca
p: 519-661-2111 x80265 <15196612111,80265>
cal: html <http://goo.gl/wVoDlo> | ics <http://goo.gl/ncUjV0>
On Thu, Jan 19, 2017 at 5:40 AM, Małgorzata Olszówka <gosia at olszowka.net>
wrote:
> We have a number of hosts in private IP space that we'd like to be able
>> to send mail to smtp.office365.com:587 <http://smtp.office365.com:587>.
>> I'm trying to configure stunnel for this purpose.
>>
>> What I'd like is to set up a stunnel instance on a server which will
>> accept TLS connections on port 50025. Stunnel will then connect to
>> smtp.office365.com:587 <http://smtp.office365.com:587> which also uses
>> TLS. How can I do this?
>>
>> I am able to configure stunnel to accept my connection on 587, but the
>> connection is immediately closed (below). If I add client = yes, then I
>> just get:
>>
>>
>> aculver stunnel # egrep -v '^;|^$' stunnel.conf
>> ; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
>> setuid = nobody
>> setgid = nogroup
>> pid = /usr/local/var/run/stunnel/stunnel.pid
>> [o365-smtp]
>> accept = 50025
>> cert = /usr/local/etc/stunnel/stunnel.pem
>> connect = smtp.office365.com:587 <http://smtp.office365.com:587>
>> verifyChain = yes
>> CApath = /etc/ssl/certs
>> protocol = smtp
>>
>> aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025
>> CONNECTED(00000003)
>> ...
>> 139954991064736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
>> handshake failure:s3_pkt.c:1263:SSL alert number 40
>> 139954991064736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:177:
>> ---
>>
>> Hi Andrew,
> I suggest you set the debugging stuff, it may be useful for
> troubleshooting:
> debug = debug
> output = /usr/local/var/log/stunnel.log
>
> In the stunnel.log file, you can find all log messages from stunnel, I
> think in this case:
>
> 2017.01.19 05:08:28 LOG7[10763]: TLS alert (write): fatal: handshake
> failure
> 2017.01.19 05:08:28 LOG3[10763]: SSL_accept: 140890C7: error:140890C7:SSL
> routines:ssl3_get_client_certificate:peer did not return a certificate
> 2017.01.19 05:08:28 LOG5[10763]: Connection reset: 0 byte(s) sent to TLS,
> 0 byte(s) sent to socket
>
> Your [o365-smtp] service requests the peer certificate and verify the peer
> certificate chain, so you should send the client certificate.
>
> # openssl s_client -starttls smtp -connect localhost:50025 -cert mycert.pem
>
> Regards
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170119/50b8c086/attachment.html>
More information about the stunnel-users
mailing list