[stunnel-users] transparent = source, stunnel connect always times out

Robert Hardy rhardy at webcon.ca
Tue May 3 22:45:06 CEST 2011


On Sat, 26 Mar 2011, Michal Trojnara wrote:
>
> Interesting.  I can't see any obvious mistake in your configuration.
>
> With these type of problems "tcpdump", "iptables -L -v", and "dmesg" are your 
> friends.
>
> Best regards,
> 	 Michal Trojnara
>

I've tried several times to get stunnel to work as a transparent smtps
proxy. I just tried again using stunnel 4.36 and as you suggested used
tcpdump in several places, to attempt further debugging. It always just
times out: both in the stunnel log file and my mail client times out too.

There are no obvious messages indicating the problem in dmesg or any logs.

To me, my firewall rules look fine.

With tcpdump on lo,  I can see the traffic getting forwarded:

15:48:23.228526 IP fw1.pensivo.com.52370 > guru.webcon.net.smtp: S
   3107220597:3107220597(0) win 32792 <mss 16396,sackOK,timestamp 128780080 0,nop,wscale 5>

With tcpdump on eth0, I can see some kind of response going out:

15:48:23.228554 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP
(6), length: 60) guru.webcon.net.smtp > fw1.pensivo.com.52370: S, cksum
0x70bc (incorrect (-> 0x91ef), 3106887726:3106887726(0) ack 3107220598 win
14480 <mss 1460,sackOK,timestamp 128780080 128774822,nop,wscale 5>

but it seems too small and doesn't seem like enough traffic.

The incorrect cksums seem to be a red herring. I suspect it's really just an
artifact due hardware chksum offload.  The packets make it back to my
mail client box with valid chksums.

My mail server has net.ipv4.conf.all.rp_filter = 0. My ASSP maillog never
shows a connection, refused or otherwise for the transparent proxied
connection, even with the debug level very high.

Can you make any other suggestions?

Failing that, would you be willing to debug this interactively?

If you can repond off the list with a dollar amount or a referal to a
contractor who would know what the tcpdump traffic should look like and
could debug this install easily that would be very much appreciated.
I've been periodically spinning my wheels on this for too long.

Regards,
Robert Hardy



More information about the stunnel-users mailing list