<div dir="ltr">Hi Graeme,<div><br></div><div>We have a number of Toshiba MFDs which use Scan To Email. We are using stunnel to listen on port 587/TLS and connect to <a href="http://smtp.office365.com:587">smtp.office365.com:587</a>. Since I'm listening for TLS and connecting to O365 using TLS, I have 2 services defined. We're running Stunnel 5.40. Can you compile the latest version?</div><div><br></div><div><div>setuid = stunnel</div><div>setgid = stunnel</div><div>pid = /usr/local/var/run/stunnel/stunnel.pid</div><div>[uwo2local]</div><div>accept = 587</div><div>cert = /usr/local/etc/stunnel/mtar-withprivatekey.pem</div><div>connect = 20587 </div><div>protocol = smtp</div><div>[local2o365]</div><div>client = yes</div><div>accept = <a href="http://127.0.0.1:20587">127.0.0.1:20587</a></div><div>connect = <a href="http://smtp.office365.com:587">smtp.office365.com:587</a></div><div>protocol = smtp</div></div><div><br></div><div>One advantage of having 2 listeners is that you can run a tcpdump on the lo interface to capture the traffic, then open it up in Wireshark to look at the SMTP dialog for any problems. One thing to watch for is that the sending address that the printer is using (ie the From: header) is an address that the authenticating user is authorized to send as. Typically this should be the same address to avoid problems (although this isn't a Stunnel problem).</div><div><br></div><div>Andrew</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><b><font face="verdana, sans-serif" color="#3d85c6">Andrew Culver</font></b></div><div><font face="verdana, sans-serif" color="#999999">System Administrator</font></div><div><a href="https://www.uwo.ca/its" target="_blank"><font face="verdana, sans-serif" color="#999999">Information Technology Services</font></a></div><div><a href="https://www.uwo.ca" target="_blank"><font face="verdana, sans-serif" color="#999999">University of Western Ontario</font></a></div><div><font face="verdana, sans-serif"><font color="#999999">e: </font><a href="mailto:aculver@uwo.ca" target="_blank"><font color="#999999">aculver@uwo.ca</font></a></font></div><div><font face="verdana, sans-serif" color="#999999">p: <a href="tel:15196612111,80265" target="_blank"><font color="#999999">519-661-2111 x80265</font></a></font></div><font face="verdana, sans-serif" color="#999999">cal: <a href="http://goo.gl/wVoDlo" target="_blank"><font color="#999999">html</font></a> | <a href="http://goo.gl/ncUjV0" target="_blank"><font color="#999999">ics</font></a></font><br></div><div dir="ltr"><font face="verdana, sans-serif" color="#999999"><a><font color="#999999"><br></font></a></font></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Apr 3, 2017 at 6:16 AM, Graeme Ellisson <span dir="ltr"><<a href="mailto:gellisson@gmail.com" target="_blank">gellisson@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi.<div><div><br></div><div>I recently bought a Pi3 and have loaded Raspbian with Doobs (Previously I had this running faultlessly under a Windows Server for my Canon multi function printer that does not support SSL/TLS but only authentication). After about 8 attempts to get Stunnel4 working (there doesn't seem to be a later version to install via the command line) I eventually found that Stunnel4 works fine as long as one doesn't update Dabian from the initial Doobs install.</div><div>So, I now have the service running and listening on port 25 with the following config file: </div><div><br></div><div><div>debug=7</div><div>output=/etc/stunnel/stunnel.<wbr>log</div><div>client=yes</div><div>options=NO_SSLv2 (I added this last night after reading a blog)</div><div><br></div><div>[SMTP OUT]</div><div>sslVersion=TLSv1 (I added this last night after reading a blog)</div><div>protocol=smtp</div><div>accept=25</div><div>connect=<a href="http://smtp.office365.com:587" target="_blank">smtp.office365.com:587</a></div></div><div><br></div><div>On restarting the service I see the following which looks okay to my untrained eye:</div><div><br></div><div><div>2017.04.03 09:42:09 LOG7[3570]: Dispatching signals from the signal pipe</div><div>2017.04.03 09:42:09 LOG7[3570]: Processing SIGNAL_TERMINATE</div><div>2017.04.03 09:42:09 LOG5[3570]: Terminated</div><div>2017.04.03 09:42:09 LOG7[3570]: Closing service [SMTP OUT]</div><div>2017.04.03 09:42:09 LOG7[3570]: Service [SMTP OUT] closed (FD=7)</div><div>2017.04.03 09:42:09 LOG7[3570]: Service [SMTP OUT] closed</div><div>2017.04.03 09:42:09 LOG7[3570]: removing pid file /var/run/stunnel4.pid</div><div>2017.04.03 09:42:09 LOG7[3926]: Clients allowed=500</div><div>2017.04.03 09:42:09 LOG5[3926]: stunnel 5.06 on arm-unknown-linux-gnueabihf platform</div><div>2017.04.03 09:42:09 LOG5[3926]: Compiled with OpenSSL 1.0.1k 8 Jan 2015</div><div>2017.04.03 09:42:09 LOG5[3926]: Running with OpenSSL 1.0.1t 3 May 2016</div><div>2017.04.03 09:42:09 LOG5[3926]: Update OpenSSL shared libraries or rebuild stunnel</div><div>2017.04.03 09:42:09 LOG5[3926]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD SSL:ENGINE,OCSP,FIPS Auth:LIB$</div><div>2017.04.03 09:42:09 LOG7[3926]: errno: (*__errno_location ())</div><div>2017.04.03 09:42:09 LOG5[3926]: Reading configuration from file /etc/stunnel/stunnel4.conf</div><div>2017.04.03 09:42:09 LOG5[3926]: FIPS mode disabled</div><div>2017.04.03 09:42:09 LOG7[3926]: Compression disabled</div><div>2017.04.03 09:42:09 LOG7[3926]: Snagged 64 random bytes from /dev/urandom</div><div>2017.04.03 09:42:09 LOG7[3926]: PRNG seeded successfully</div><div>2017.04.03 09:42:09 LOG6[3926]: Initializing service [SMTP OUT]</div><div>2017.04.03 09:42:09 LOG7[3926]: No private key specified</div><div>2017.04.03 09:42:09 LOG7[3926]: SSL options: 0x03000004 (+0x03000000, -0x00000000)</div><div>2017.04.03 09:42:09 LOG5[3926]: Configuration successful</div><div>2017.04.03 09:42:09 LOG7[3926]: Listening file descriptor created (FD=7)</div><div>2017.04.03 09:42:09 LOG7[3926]: Service [SMTP OUT] (FD=7) bound to <a href="http://0.0.0.0:25" target="_blank">0.0.0.0:25</a></div><div>2017.04.03 09:42:09 LOG7[3927]: Created pid file /var/run/stunnel4.pid</div></div><div><br></div><div><br></div><div><br></div><div>When sending a scan from the printer to an email address I see the following in the log file:</div><div><br></div><div><br></div><div><div>2017.04.03 10:00:05 LOG7[3927]: Service [SMTP OUT] accepted (FD=3) from <a href="http://192.168.8.99:1085" target="_blank">192.168.8.99:1085</a></div><div>2017.04.03 10:00:05 LOG7[3960]: Service [SMTP OUT] started</div><div>2017.04.03 10:00:05 LOG5[3960]: Service [SMTP OUT] accepted connection from <a href="http://192.168.8.99:1085" target="_blank">192.168.8.99:1085</a></div><div>2017.04.03 10:00:05 LOG6[3960]: s_connect: connecting <a href="http://40.101.73.162:587" target="_blank">40.101.73.162:587</a></div><div>2017.04.03 10:00:05 LOG7[3960]: s_connect: s_poll_wait <a href="http://40.101.73.162:587" target="_blank">40.101.73.162:587</a>: waiting 10 seconds</div><div>2017.04.03 10:00:05 LOG5[3960]: s_connect: connected <a href="http://40.101.73.162:587" target="_blank">40.101.73.162:587</a></div><div>2017.04.03 10:00:05 LOG5[3960]: Service [SMTP OUT] connected remote server from <a href="http://192.168.8.33:59792" target="_blank">192.168.8.33:59792</a></div><div>2017.04.03 10:00:05 LOG7[3960]: Remote socket (FD=9) initialized</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 220 <a href="http://DB6PR07CA0179.outlook.office365.com" target="_blank">DB6PR07CA0179.outlook.<wbr>office365.com</a> Microsoft ESMTP MAIL Service $</div><div>2017.04.03 10:00:05 LOG7[3960]: -> 220 <a href="http://DB6PR07CA0179.outlook.office365.com" target="_blank">DB6PR07CA0179.outlook.<wbr>office365.com</a> Microsoft ESMTP MAIL Service $</div><div>2017.04.03 10:00:05 LOG7[3960]: -> EHLO localhost</div><div>2017.04.03 10:00:05 LOG7[3960]: <- <a href="http://250-DB6PR07CA0179.outlook.office365.com" target="_blank">250-DB6PR07CA0179.outlook.<wbr>office365.com</a> Hello [46.208.253.189]</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-SIZE 157286400</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-PIPELINING</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-DSN</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-ENHANCEDSTATUSCODES</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-STARTTLS</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-8BITMIME</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-BINARYMIME</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250-CHUNKING</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 250 SMTPUTF8</div><div>2017.04.03 10:00:05 LOG7[3960]: -> STARTTLS</div><div>2017.04.03 10:00:05 LOG7[3960]: <- 220 2.0.0 SMTP server ready</div><div>2017.04.03 10:00:05 LOG6[3960]: SNI: sending servername: <a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a></div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): before/connect initialization</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div></div><div><div>2017.04.03 10:00:05 LOG7[3960]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 items in the session cache</div><div>2017.04.03 10:00:05 LOG7[3960]: 2 client connects (SSL_connect())</div><div>2017.04.03 10:00:05 LOG7[3960]: 2 client connects that finished</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 client renegotiations requested</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 server connects (SSL_accept())</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 server connects that finished</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 server renegotiations requested</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 session cache hits</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 external session cache hits</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 session cache misses</div><div>2017.04.03 10:00:05 LOG7[3960]: 0 session cache timeouts</div><div>2017.04.03 10:00:05 LOG6[3960]: SSL connected: new session negotiated</div><div>2017.04.03 10:00:05 LOG6[3960]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES128-SHA (128-bit encryption)</div><div>2017.04.03 10:00:05 LOG6[3960]: Compression: null, expansion: null</div><div>2017.04.03 10:00:10 LOG6[3960]: SSL socket closed (SSL_read)</div><div>2017.04.03 10:00:10 LOG7[3960]: Sent socket write shutdown</div><div>2017.04.03 10:00:10 LOG5[3960]: Connection closed: 23 byte(s) sent to SSL, 79 byte(s) sent to socket</div><div>2017.04.03 10:00:10 LOG7[3960]: Remote socket (FD=9) closed</div><div>2017.04.03 10:00:10 LOG7[3960]: Local socket (FD=3) closed</div><div>2017.04.03 10:00:10 LOG7[3960]: Service [SMTP OUT] finished (0 left)</div><div>2017.04.03 10:00:20 LOG7[3927]: Service [SMTP OUT] accepted (FD=3) from <a href="http://192.168.8.99:1086" target="_blank">192.168.8.99:1086</a></div><div>2017.04.03 10:00:20 LOG7[3961]: Service [SMTP OUT] started</div><div>2017.04.03 10:00:20 LOG5[3961]: Service [SMTP OUT] accepted connection from <a href="http://192.168.8.99:1086" target="_blank">192.168.8.99:1086</a></div><div>2017.04.03 10:00:20 LOG6[3961]: s_connect: connecting <a href="http://40.101.72.194:587" target="_blank">40.101.72.194:587</a></div><div>2017.04.03 10:00:20 LOG7[3961]: s_connect: s_poll_wait <a href="http://40.101.72.194:587" target="_blank">40.101.72.194:587</a>: waiting 10 seconds</div><div>2017.04.03 10:00:20 LOG5[3961]: s_connect: connected <a href="http://40.101.72.194:587" target="_blank">40.101.72.194:587</a></div><div>2017.04.03 10:00:20 LOG5[3961]: Service [SMTP OUT] connected remote serve from <a href="http://192.168.8.33:57422" target="_blank">192.168.8.33:57422</a></div></div><div><div>2017.04.03 10:00:20 LOG7[3961]: Remote socket (FD=9) initialized</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 220 <a href="http://DB6PR07CA0014.outlook.office365.com" target="_blank">DB6PR07CA0014.outlook.<wbr>office365.com</a> Microsoft ESMTP MAIL Service $</div><div>2017.04.03 10:00:21 LOG7[3961]: -> 220 <a href="http://DB6PR07CA0014.outlook.office365.com" target="_blank">DB6PR07CA0014.outlook.<wbr>office365.com</a> Microsoft ESMTP MAIL Service $</div><div>2017.04.03 10:00:21 LOG7[3961]: -> EHLO localhost</div><div>2017.04.03 10:00:21 LOG7[3961]: <- <a href="http://250-DB6PR07CA0014.outlook.office365.com" target="_blank">250-DB6PR07CA0014.outlook.<wbr>office365.com</a> Hello [46.208.253.189]</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-SIZE 157286400</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-PIPELINING</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-DSN</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-ENHANCEDSTATUSCODES</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-STARTTLS</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-8BITMIME</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-BINARYMIME</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250-CHUNKING</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 250 SMTPUTF8</div><div>2017.04.03 10:00:21 LOG7[3961]: -> STARTTLS</div><div>2017.04.03 10:00:21 LOG7[3961]: <- 220 2.0.0 SMTP server ready</div></div><div><div>2017.04.03 10:00:21 LOG6[3961]: SNI: sending servername: <a href="http://outlook.office365.com" target="_blank">outlook.office365.com</a></div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): before/connect initialization</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: SSL state (connect): unknown state</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 items in the session cache</div><div>2017.04.03 10:00:21 LOG7[3961]: 3 client connects (SSL_connect())</div><div>2017.04.03 10:00:21 LOG7[3961]: 3 client connects that finished</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 client renegotiations requested</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 server connects (SSL_accept())</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 server connects that finished</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 server renegotiations requested</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 session cache hits</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 external session cache hits</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 session cache misses</div><div>2017.04.03 10:00:21 LOG7[3961]: 0 session cache timeouts</div><div>2017.04.03 10:00:21 LOG6[3961]: SSL connected: new session negotiated</div><div>2017.04.03 10:00:21 LOG6[3961]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES128-SHA (128-bit encryption)</div><div>2017.04.03 10:00:21 LOG6[3961]: Compression: null, expansion: null</div><div>2017.04.03 10:00:26 LOG6[3961]: SSL socket closed (SSL_read)</div><div>2017.04.03 10:00:26 LOG7[3961]: Sent socket write shutdown</div></div><div><div>2017.04.03 10:00:26 LOG5[3961]: Connection closed: 23 byte(s) sent to SSL, 79 byte(s) sent to socket</div><div>2017.04.03 10:00:26 LOG7[3961]: Remote socket (FD=9) closed</div><div>2017.04.03 10:00:26 LOG7[3961]: Local socket (FD=3) closed</div><div>2017.04.03 10:00:26 LOG7[3961]: Service [SMTP OUT] finished (0 left)</div></div><div><br></div><div><br></div><div>At the end of this, no email is received. I can't tell from the above if the document is not being received by Stunnel from the printer or if Stunnel can not pass the document to Office365. It looks like TLSv1 is being negotiated and some data is being sent but then it closes the connection.</div><div><br></div><div>Any help would be much appreciated.</div><div><br></div><div>Regards,</div><div><br></div><div>Graeme</div><div><br></div><div> </div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> </div></div></div>
<br>______________________________<wbr>_________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-">https://www.stunnel.org/cgi-</a><wbr>bin/mailman/listinfo/stunnel-<wbr>users<br>
<br></blockquote></div><br></div>