[stunnel-users] Service [SMTP Outgoing] needs authentication to prevent MITM attacks

Michal Trojnara Michal.Trojnara at mirt.net
Wed Sep 2 08:57:53 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Eric,

Everything seems to work just fine.  smtp.office365.com advertises
IPv6 addresses, but your host does not seem to have IPv6 connectivity.

You may modify the time-out delay with TIMEOUTconnect.

Mike

On 02.09.2015 05:28, Eric Poythress wrote:
> My stunnel.conf looks like this:
> 
> # Stunnel configuration file for Office 365 SMTP # Eric Poythress #
> GLOBAL OPTIONS client = yes output = stunnel-log.txt debug=7 
> taskbar=yes
> 
> # SERVICE-LEVEL OPTIONS [SMTP Outgoing] client = yes protocol =
> smtp accept = 25 connect = smtp.office365.com:587 verify = 2 CAfile
> = ca-certs.pem checkHost = smtp.office365.com
> 
> 
> A larger sample of my logs looks like this:
> 
> 2015.09.01 22:15:15 LOG5[1]: s_connect: connected
> 132.245.70.98:587 2015.09.01 22:15:15 LOG5[1]: Service [SMTP
> Outgoing] connected remote server from 192.168.100.41:1565 
> 2015.09.01 22:15:15 LOG7[1]: Remote socket (FD=468) initialized 
> 2015.09.01 22:15:15 LOG7[1]:  <- 220
> SN1PR15CA0037.outlook.office365.com Microsoft ESMTP MAIL Service
> ready at Wed, 2 Sep 2015 03:13:50 +0000 2015.09.01 22:15:15
> LOG7[1]:  -> 220 SN1PR15CA0037.outlook.office365.com Microsoft
> ESMTP MAIL Service ready at Wed, 2 Sep 2015 03:13:50 +0000 
> 2015.09.01 22:15:15 LOG7[1]:  -> EHLO localhost 2015.09.01 22:15:15
> LOG7[1]:  <- 250-SN1PR15CA0037.outlook.office365.com Hello
> [70.167.26.246] 2015.09.01 22:15:15 LOG7[1]:  <- 250-SIZE
> 157286400 2015.09.01 22:15:15 LOG7[1]:  <- 250-PIPELINING 
> 2015.09.01 22:15:15 LOG7[1]:  <- 250-DSN 2015.09.01 22:15:15
> LOG7[1]:  <- 250-ENHANCEDSTATUSCODES 2015.09.01 22:15:15 LOG7[1]:
> <- 250-STARTTLS 2015.09.01 22:15:15 LOG7[1]:  <- 250-8BITMIME 
> 2015.09.01 22:15:15 LOG7[1]:  <- 250-BINARYMIME 2015.09.01 22:15:15
> LOG7[1]:  <- 250 CHUNKING 2015.09.01 22:15:15 LOG7[1]:  ->
> STARTTLS 2015.09.01 22:15:16 LOG7[1]:  <- 220 2.0.0 SMTP server
> ready 2015.09.01 22:15:16 LOG6[1]: SNI: sending servername:
> smtp.office365.com 2015.09.01 22:15:16 LOG7[1]: SSL state
> (connect): before/connect initialization 2015.09.01 22:15:16
> LOG7[1]: SSL state (connect): SSLv3 write client hello A 2015.09.01
> 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server hello A 
> 2015.09.01 22:15:16 LOG7[1]: Verification started at depth=2: C=IE,
> O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root 2015.09.01
> 22:15:16 LOG7[1]: CERT: Pre-verification succeeded 2015.09.01
> 22:15:16 LOG6[1]: Certificate accepted at depth=2: C=IE,
> O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root 2015.09.01
> 22:15:16 LOG7[1]: Verification started at depth=1: C=US,
> ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT,
> CN=Microsoft IT SSL SHA1 2015.09.01 22:15:16 LOG7[1]: CERT:
> Pre-verification succeeded 2015.09.01 22:15:16 LOG6[1]: Certificate
> accepted at depth=1: C=US, ST=Washington, L=Redmond, O=Microsoft
> Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA1 2015.09.01
> 22:15:16 LOG7[1]: Verification started at depth=0: C=US, ST=WA,
> L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation,
> CN=outlook.com 2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification
> succeeded 2015.09.01 22:15:16 LOG6[1]: CERT: Host name
> "smtp.office365.com" matched with "*.office365.com" 2015.09.01
> 22:15:16 LOG5[1]: Certificate accepted at depth=0: C=US, ST=WA,
> L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation,
> CN=outlook.com 2015.09.01 22:15:16 LOG7[1]: SSL state (connect):
> SSLv3 read server certificate A 2015.09.01 22:15:16 LOG7[1]: SSL
> state (connect): SSLv3 read server key exchange A 2015.09.01
> 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server
> certificate request A 2015.09.01 22:15:16 LOG7[1]: SSL state
> (connect): SSLv3 read server done A 2015.09.01 22:15:16 LOG7[1]:
> SSL state (connect): SSLv3 write client certificate A 2015.09.01
> 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client key
> exchange A 2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3
> write change cipher spec A 2015.09.01 22:15:16 LOG7[1]: SSL state
> (connect): SSLv3 write finished A 2015.09.01 22:15:16 LOG7[1]: SSL
> state (connect): SSLv3 flush data 2015.09.01 22:15:16 LOG7[1]: SSL
> state (connect): SSLv3 read finished A 2015.09.01 22:15:16 LOG7[1]:
> 2 client connect(s) requested 2015.09.01 22:15:16 LOG7[1]:      2
> client connect(s) succeeded 2015.09.01 22:15:16 LOG7[1]:      0
> client renegotiation(s) requested 2015.09.01 22:15:16 LOG7[1]:
> 0 session reuse(s) 2015.09.01 22:15:16 LOG6[1]: SSL connected: new
> session negotiated 2015.09.01 22:15:16 LOG7[1]: Deallocating
> application specific data for addr index 2015.09.01 22:15:16
> LOG6[1]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-SHA384
> (256-bit encryption) 2015.09.01 22:15:16 LOG7[1]: Compression:
> null, expansion: null 2015.09.01 22:15:21 LOG6[1]: Read socket
> closed (readsocket) 2015.09.01 22:15:21 LOG7[1]: Sending
> close_notify alert 2015.09.01 22:15:21 LOG7[1]: SSL alert (write):
> warning: close notify 2015.09.01 22:15:21 LOG6[1]: SSL_shutdown
> successfully sent close_notify alert 2015.09.01 22:15:21 LOG6[1]:
> SSL socket closed (SSL_read) 2015.09.01 22:15:21 LOG7[1]: Sent
> socket write shutdown 2015.09.01 22:15:21 LOG5[1]: Connection
> closed: 71 byte(s) sent to SSL, 237 byte(s) sent to socket 
> 2015.09.01 22:15:21 LOG7[1]: Remote socket (FD=468) closed 
> 2015.09.01 22:15:21 LOG7[1]: Local socket (FD=440) closed 
> 2015.09.01 22:15:21 LOG7[1]: Service [SMTP Outgoing] finished (0
> left)
> 
> -Eric
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV5p3xAAoJEC78f/DUFuAUQbgP/0MsjjGe3UMllzwE9YxMMJuq
5yJqG+7oKgfSQXBhqh/es1s6pzePajTThmGGwqzDqwmyQgMt+ogPlr6BGDOZ8Z2e
jKxqxs5qr/CfKTdSM7FYSERIO3YsTDwV5MYszb8aX6ECOQEzBG4vYiTmou86Gi8u
B3u+pn24EfHr3hgT78h6XSgc5O1OYr2yqzl8+79BqmGnzKheSBD8GOBQWrrYAdZt
GRmiuSMtsccqoPHGa2hUWZvXzCILUzL/992Ys4WWHOMSN6GNyhws18CPrIFgCjiX
mPhlUqh2ArinFhz/KaQy19G6g6xzCXMw/ss1iY96bMv/SdzBThfuDuJ/neJtmr4p
7cC4IkrqlOUdp9YZgCSdizK12Y2D4mizZt0dGI9GJA547irLfii+3cFRA1z/TTtX
xj9I5nXHAfdrrPtPlt9vq8y4idmpqU2lxbNSUuo267fSddDuOj7cZDfpF9NIj/Ub
dKn4bXX4HvcHziPE/EYhuKW5FkxjD712uBkQOsoCQKXmUXcGNJ4E1NSHcUgww0i6
JMphsVdAwfa2rd7c+Qz2yKwWp5wq0XZ575lHrqQp3gVqaNDp15vErwR7ja0Oh4yW
JPXjOGsfN3sHmOwML+CWwDyx8JPI/tG5yk996vnZKU7zQbEaiIusYHQ5JYjtP/p4
JVZtkuv62adPKyQIYGp1
=fS1S
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list