[stunnel-users] setup stunnel problem

edu.bit.es at gmail.com edu.bit.es at gmail.com
Wed Nov 20 14:00:10 CET 2013


Hi Peter,

Everything ok, sending smtp messages.

Thanks a lot for your advice.

If you ever come to Barcelona (Spain) I owe you a beer.

Best regards.



-----Original Message-----
From: Peter Pentchev [mailto:roam at ringlet.net] 
Sent: Wednesday, November 20, 2013 12:26 PM
To: edu.bit.es at gmail.com
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] setup stunnel problem

On Wed, Nov 20, 2013 at 11:52:05AM +0100, edu.bit.es at gmail.com wrote:
> Hi and thanks for your response.
> 
> Attached is the log file (stunnel.txt) and the config file 
> (stunnelconf.txt).
> 
> Thanks a lot.

Thanks for showing us the logs and for your patience :)

OK, so here's what stunnel has to say about the actual connection:
[snip]
> 2013.11.20 05:48:59 LOG5[14516:16268]: Service [gmail-smtp] connected 
> remote server from 192.168.1.10:29290
> 2013.11.20 05:48:59 LOG7[14516:16268]: Remote socket (FD=472) 
> initialized
> 2013.11.20 05:48:59 LOG7[14516:16268]: SNI: sending servername: 
> smtp.gmail.com
> 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): 
> before/connect initialization
> 2013.11.20 05:48:59 LOG7[14516:16268]: SSL state (connect): SSLv2/v3 
> write client hello A
> 2013.11.20 05:48:59 LOG3[14516:16268]: SSL_connect: 140770FC: 
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> 2013.11.20 05:48:59 LOG5[14516:16268]: Connection reset: 0 byte(s) 
> sent to SSL, 0 byte(s) sent to socket

So it says that it has connected to smtp.gmail.com on the port that you
specified and that the Gmail SMTP server did not speak proper SSL to it.
Now let's see if we can figure out why the Gmail SMTP server doesn't want to
speak SSL to us:

> [gmail-smtp]
> client = yes
> accept = 127.0.0.1:25
> connect = smtp.gmail.com:587

OK, so this says several things:
- listen on port 25 of our local machine
- accept cleartext traffic on port 25 of our local machine
- once a client connects, create a new connection to port 587 of
  smtp.gmail.com
- speak SSL to smtp.gmail.com:587 - that is, expect smtp.gmail.com to
  speak SSL to us if we connect to its port 587

Well, let's see if it does:

[roam at straylight ~]$ telnet smtp.gmail.com 587 Trying 74.125.136.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP i1sm58627991eeg.0 - gsmtp

No, it doesn't.  Port 587 is usually used for the "mail submission"
service which speaks plain simplified SMTP - plain as in "not encrypted"
as in "not SSL".  You have configured Stunnel to (as it should) speak SSL to
the remote side, so you ought to tell it to either:
- connect to a service that starts speaking SSL straight away, or
- tell it to expect the remote service to not speak SSL straight away
  and tell it how to negotiate an SSL connection with it

In your first message you mentioned port 465; it is usually used for the
"secure SMTP" service, which *does* start speaking SSL straight away.
This is actually the first option: so what happens (show us the logfiles if
it doesn't work) if you put 465 instead of 587 in your Stunnel configuration
for the gmail-smtp service?

Another option would be to add another line to the gmail-smtp service:
protocol = smtp
This tells Stunnel that the remote is actually an SMTP (or SMTP-like) server
that will understand a "STARTTLS" command and, hopefully, respond with a
"2xx Ready to start a TLS conversation with you" message.  This might fix
the problem, too - it is option 2 from the above (negotiate an SSL
connection with a non-SSL service).

I'd try using port 465 first; if it doesn't work, show us the logs again.

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13 I am not
the subject of this sentence.



More information about the stunnel-users mailing list