<div dir="ltr">Hello,<div><br></div><div>This is my first time using stunnel so I'm still learning how it works. This may have already been asked, but I'm not sure what to search for in the archives.</div><div><br></div><div>We have a number of hosts in private IP space that we'd like to be able to send mail to <a href="http://smtp.office365.com:587">smtp.office365.com:587</a>. I'm trying to configure stunnel for this purpose.</div><div><br></div><div>What I'd like is to set up a stunnel instance on a server which will accept TLS connections on port 50025. Stunnel will then connect to <a href="http://smtp.office365.com:587">smtp.office365.com:587</a> which also uses TLS. How can I do this?</div><div><br></div><div>I am able to configure stunnel to accept my connection on 587, but the connection is immediately closed (below). If I add client = yes, then I just get:</div><div><br></div><div><div>aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025</div><div>CONNECTED(00000003)</div><div>didn't found starttls in server response, try anyway...</div></div><div><br></div><div><br></div><div>Here is my config:</div><div><br></div><div><div>aculver stunnel # egrep -v '^;|^$' stunnel.conf</div><div>; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015</div><div>setuid = nobody</div><div>setgid = nogroup</div><div>pid = /usr/local/var/run/stunnel/stunnel.pid</div><div>[o365-smtp]</div><div>accept = 50025</div><div>cert = /usr/local/etc/stunnel/stunnel.pem</div><div>connect = <a href="http://smtp.office365.com:587">smtp.office365.com:587</a></div><div>verifyChain = yes</div><div>CApath = /etc/ssl/certs</div><div>protocol = smtp</div></div><div><br></div><div><br></div><div>What am I doing wrong?</div><div><br></div><div><br></div><div>Here's what I get when I don't have client = yes:</div><div><br></div><div><div>aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025</div><div>CONNECTED(00000003)</div><div>depth=0 C = CA, ST = Ontario, L = London, O = The University of Western Ontario, OU = ITS, CN = <a href="http://aculver.ws.its.uwo.ca">aculver.ws.its.uwo.ca</a>, emailAddress = <a href="mailto:aculver@uwo.ca">aculver@uwo.ca</a></div><div>verify error:num=18:self signed certificate</div><div>verify return:1</div><div>depth=0 C = CA, ST = Ontario, L = London, O = The University of Western Ontario, OU = ITS, CN = <a href="http://aculver.ws.its.uwo.ca">aculver.ws.its.uwo.ca</a>, emailAddress = <a href="mailto:aculver@uwo.ca">aculver@uwo.ca</a></div><div>verify return:1</div><div>139954991064736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1263:SSL alert number 40</div><div>139954991064736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:</div><div>---</div><div>Certificate chain</div><div> 0 s:/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=<a href="http://aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca">aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca</a></div><div>   i:/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=<a href="http://aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca">aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca</a></div><div>---</div><div>Server certificate</div><div>-----BEGIN CERTIFICATE-----</div><div>MIIEJzCCAw+gAwIBAgIJAM0DgGLDIh5lMA0GCSqGSIb3DQEBCwUAMIGpMQswCQYD</div><div>VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGTG9uZG9uMSowKAYD</div><div>VQQKDCFUaGUgVW5pdmVyc2l0eSBvZiBXZXN0ZXJuIE9udGFyaW8xDDAKBgNVBAsM</div><div>A0lUUzEeMBwGA1UEAwwVYWN1bHZlci53cy5pdHMudXdvLmNhMR0wGwYJKoZIhvcN</div><div>AQkBFg5hY3VsdmVyQHV3by5jYTAeFw0xNzAxMTcxODAwNTdaFw0yMDAxMTcxODAw</div><div>NTdaMIGpMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwG</div><div>TG9uZG9uMSowKAYDVQQKDCFUaGUgVW5pdmVyc2l0eSBvZiBXZXN0ZXJuIE9udGFy</div><div>aW8xDDAKBgNVBAsMA0lUUzEeMBwGA1UEAwwVYWN1bHZlci53cy5pdHMudXdvLmNh</div><div>MR0wGwYJKoZIhvcNAQkBFg5hY3VsdmVyQHV3by5jYTCCASIwDQYJKoZIhvcNAQEB</div><div>BQADggEPADCCAQoCggEBAL2A3QEU7ReMc+2dTJdxVnQx33dIomQvO6QOAaFkI9pt</div><div>XF/UhSBCg3ZD2yZeKe5GQ0+KqSCjuxTZE+BMTIeNUtaFEDr9bMAx0toknm29ve1B</div><div>wTErWoIjE4yqQ+j/D9JLp4BzBcptz1zaEdvhzzZo2zWVpqHrUHSXzoIELD4xyZyF</div><div>UgbQ057diKr1fqM7q3ozCofslFGEjWtc8SsfwgToT72g7bRhx8a6F6SSX8afcVx0</div><div>hvvC998QbTNUCpJO6GPzWWCsITc3RPMZK3OJsbI4NNBKDZ8eE2NTSkcKjnibRWFx</div><div>bwCTlSZ5XABQrgXmEO51cx6DBAK/8cV8W2H/VNr9SXkCAwEAAaNQME4wHQYDVR0O</div><div>BBYEFMPXcnQduKdorSNrFIR1up+a5V7RMB8GA1UdIwQYMBaAFMPXcnQduKdorSNr</div><div>FIR1up+a5V7RMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKqmaC+g</div><div>RD1KEWT2yJit0FRIuwzFYmh/jgQ0ofabWQIuQtyNeqVnATU5FMOmox9MgbbsBanC</div><div>SBVxuiLsWruk6VTjByHaIPAfsdWVKYMfLXO2Rku8GTp1X0B+HcNxh18tKr9s72rB</div><div>AmapnD1GrYDAlBBgwQz+Ei1iRz+rqKsPvvJ/IEzZ02uhxV0ZWxBi5gTqAQc+pi3y</div><div>I8DNBTxev2BMw+YCeNnrH3ryrJ8vKYlUmxE0k2POH1ihlpzdx9jtKC9TKR1kahMP</div><div>3lbldSHmW9DWeOfzQZ6NDHADSI698HaYfWQXUqbXjNJsxFb47pnjmyWgKseAT9iw</div><div>w9nPDtkCmUihuBM=</div><div>-----END CERTIFICATE-----</div><div>subject=/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=<a href="http://aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca">aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca</a></div><div>issuer=/C=CA/ST=Ontario/L=London/O=The University of Western Ontario/OU=ITS/CN=<a href="http://aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca">aculver.ws.its.uwo.ca/emailAddress=aculver@uwo.ca</a></div><div>---</div><div>No client certificate CA names sent</div><div>---</div><div>SSL handshake has read 1741 bytes and written 138 bytes</div><div>---</div><div>New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384</div><div>Server public key is 2048 bit</div><div>Secure Renegotiation IS supported</div><div>Compression: NONE</div><div>Expansion: NONE</div><div>SSL-Session:</div><div>    Protocol  : TLSv1.2</div><div>    Cipher    : ECDHE-RSA-AES256-GCM-SHA384</div><div>    Session-ID: </div><div>    Session-ID-ctx: </div><div>    Master-Key: 9B6FC3BBEEADF6673416272CA03FA44A2B10BADB3B843317403C03904F0E45E922EA2581F313BF5282C0A47498E43C8D</div><div>    Key-Arg   : None</div><div>    PSK identity: None</div><div>    PSK identity hint: None</div><div>    SRP username: None</div><div>    Start Time: 1484680413</div><div>    Timeout   : 300 (sec)</div><div>    Verify return code: 18 (self signed certificate)</div><div>---</div><div>aculver stunnel #</div></div><div><br></div><div><br></div><div>Thanks,</div><div>Andrew</div><div><br></div></div>