[stunnel-users] Stunnel in inetd mode and PID in logs

Bruce Guenter bruce at untroubled.org
Sat Dec 10 00:39:11 CET 2016

On Thu, Dec 08, 2016 at 05:52:40PM +0100, Małgorzata Olszówka wrote:
> Yes, but when the service is started, you can see PID in the next logs:
> 2016.12.08 11:38:59 LOG7[ui]: Service [https] accepted (FD=3) from
> 2016.12.08 11:38:59 LOG7[16226]: Service [https] started

This appears to be a different use case. In my case, stunnel is not
accepting the connection. tcpserver accepts the connection (or rejects
it) and then executes stunnel on the open socket. This stunnel process
never prints its own PID, only ever (for example) LOG6[ui].

My command line (simplified) is as follows:

tcpserver -HRvX -c 20 0 465 /usr/sbin/stunnel stunnel.conf

The stunnel.conf file is:

foreground = yes
pid =
cert = /path/to/private/cert
service = smtps
exec = /usr/bin/setuidgid
execargs = setuidgid qmaild ./sslrun
ciphers = DEFAULT:!LOW:!RC4:!DES:!3DES:!IDEA
syslog = no
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
debug = info
TIMEOUTbusy = 15
TIMEOUTidle = 300
verify = 0

The logs show (for example):

tcpserver: pid 24622 from
tcpserver: ok 24622 untroubled.org: :
2016.12.09 18:34:34 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP
2016.12.09 18:34:34 LOG5[ui]: Reading configuration from file /var/service/smtpsd/stunnel.conf
2016.12.09 18:34:34 LOG5[ui]: UTF-8 byte order mark not detected
2016.12.09 18:34:34 LOG6[ui]: Initializing inetd mode configuration
2016.12.09 18:34:34 LOG6[ui]: Loading certificate from file: /path/to/private/cert
2016.12.09 18:34:34 LOG6[ui]: Certificate loaded from file: /path/to/private/cert
2016.12.09 18:34:34 LOG6[ui]: Loading private key from file: /path/to/private/cert
2016.12.09 18:34:34 LOG6[ui]: Private key loaded from file: /path/to/private/cert
2016.12.09 18:34:34 LOG6[ui]: Using dynamic DH parameters
2016.12.09 18:34:34 LOG5[ui]: Configuration successful
2016.12.09 18:34:34 LOG5[ui]: Service [smtps] accepted connection from
2016.12.09 18:34:34 LOG6[ui]: SSL accepted: new session negotiated
2016.12.09 18:34:34 LOG6[ui]: No peer certificate received
2016.12.09 18:34:34 LOG6[ui]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2016.12.09 18:34:34 LOG6[ui]: Local mode child started (PID=24623)
mailfront[24623]: MAIL FROM:<somebody at example.com> BODY=8BITMIME SIZE=492
mailfront[24623]: RCPT TO:<example at gmail.com>
mailfront[24623]: 2.6.0 Accepted message qp 24625 bytes 1319
mailfront[24623]: bytes in: 660 bytes out: 367
2016.12.09 18:34:35 LOG6[ui]: Read socket closed (readsocket)
2016.12.09 18:34:35 LOG6[ui]: SSL_shutdown successfully sent close_notify alert
2016.12.09 18:34:35 LOG6[ui]: SSL socket closed (SSL_read)
2016.12.09 18:34:35 LOG5[ui]: Connection closed: 367 byte(s) sent to SSL, 660 byte(s) sent to socket
tcpserver: end 24622 status 0

This is all fine and good if there is a single connection, but when
there are multiple connections, and the stunnel logs are interleaved,
how am I to tell one Negotiated line from the other, or which connection
started which child process?

Bruce Guenter <bruce at untroubled.org>                http://untroubled.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20161209/39bb4847/attachment.sig>

More information about the stunnel-users mailing list