[stunnel-users] setup stunnel problem

Peter Pentchev roam at ringlet.net
Wed Nov 20 12:26:07 CET 2013

On Wed, Nov 20, 2013 at 11:52:05AM +0100, edu.bit.es at gmail.com wrote:
> Hi and thanks for your response.
> Attached is the log file (stunnel.txt) and the config file
> (stunnelconf.txt).
> Thanks a lot.

Thanks for showing us the logs and for your patience :)

OK, so here's what stunnel has to say about the actual connection:
> 2013.11.20 05:48:59 LOG5[14516:16268]: Service [gmail-smtp] connected remote server from
> 2013.11.20 05:48:59 LOG7[14516:16268]: Remote socket (FD=472) initialized
> 2013.11.20 05:48:59 LOG7[14516:16268]: SNI: sending servername: smtp.gmail.com
> 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): before/connect initialization
> 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): SSLv2/v3 write client hello A
> 2013.11.20 05:48:59 LOG3[14516:16268]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> 2013.11.20 05:48:59 LOG5[14516:16268]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

So it says that it has connected to smtp.gmail.com on the port that you
specified and that the Gmail SMTP server did not speak proper SSL to it.
Now let's see if we can figure out why the Gmail SMTP server doesn't
want to speak SSL to us:

> [gmail-smtp]
> client = yes
> accept =
> connect = smtp.gmail.com:587

OK, so this says several things:
- listen on port 25 of our local machine
- accept cleartext traffic on port 25 of our local machine
- once a client connects, create a new connection to port 587 of
- speak SSL to smtp.gmail.com:587 - that is, expect smtp.gmail.com to
  speak SSL to us if we connect to its port 587

Well, let's see if it does:

[roam at straylight ~]$ telnet smtp.gmail.com 587
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP i1sm58627991eeg.0 - gsmtp

No, it doesn't.  Port 587 is usually used for the "mail submission"
service which speaks plain simplified SMTP - plain as in "not encrypted"
as in "not SSL".  You have configured Stunnel to (as it should) speak
SSL to the remote side, so you ought to tell it to either:
- connect to a service that starts speaking SSL straight away, or
- tell it to expect the remote service to not speak SSL straight away
  and tell it how to negotiate an SSL connection with it

In your first message you mentioned port 465; it is usually used for the
"secure SMTP" service, which *does* start speaking SSL straight away.
This is actually the first option: so what happens (show us the
logfiles if it doesn't work) if you put 465 instead of 587 in your
Stunnel configuration for the gmail-smtp service?

Another option would be to add another line to the gmail-smtp service:
protocol = smtp
This tells Stunnel that the remote is actually an SMTP (or SMTP-like)
server that will understand a "STARTTLS" command and, hopefully, respond
with a "2xx Ready to start a TLS conversation with you" message.  This
might fix the problem, too - it is option 2 from the above (negotiate an
SSL connection with a non-SSL service).

I'd try using port 465 first; if it doesn't work, show us the logs


Peter Pentchev	roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
I am not the subject of this sentence.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131120/dfe4125f/attachment.sig>

More information about the stunnel-users mailing list