[stunnel-users] Creating tunnel to smtp.office365.com:587

• Previous message (by thread): [stunnel-users] Creating tunnel to smtp.office365.com:587
• Next message (by thread): [stunnel-users] Creating tunnel to smtp.office365.com:587
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> We have a number of hosts in private IP space that we'd like to be able
> to send mail to smtp.office365.com:587 <http://smtp.office365.com:587>.
> I'm trying to configure stunnel for this purpose.
>
> What I'd like is to set up a stunnel instance on a server which will
> accept TLS connections on port 50025. Stunnel will then connect to
> smtp.office365.com:587 <http://smtp.office365.com:587> which also uses
> TLS. How can I do this?
>
> I am able to configure stunnel to accept my connection on 587, but the
> connection is immediately closed (below). If I add client = yes, then I
> just get:
>
>
> aculver stunnel # egrep -v '^;|^$' stunnel.conf
> ; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
> setuid = nobody
> setgid = nogroup
> pid = /usr/local/var/run/stunnel/stunnel.pid
> [o365-smtp]
> accept = 50025
> cert = /usr/local/etc/stunnel/stunnel.pem
> connect = smtp.office365.com:587 <http://smtp.office365.com:587>
> verifyChain = yes
> CApath = /etc/ssl/certs
> protocol = smtp
>
> aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025
> CONNECTED(00000003)
> ...
> 139954991064736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:s3_pkt.c:1263:SSL alert number 40
> 139954991064736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:177:
> ---
>
Hi Andrew,
I suggest you set the debugging stuff, it may be useful for troubleshooting:
debug = debug
output = /usr/local/var/log/stunnel.log

In the stunnel.log file, you can find all log messages from stunnel, I 
think in this case:

2017.01.19 05:08:28 LOG7[10763]: TLS alert (write): fatal: handshake failure
2017.01.19 05:08:28 LOG3[10763]: SSL_accept: 140890C7: 
error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not 
return a certificate
2017.01.19 05:08:28 LOG5[10763]: Connection reset: 0 byte(s) sent to 
TLS, 0 byte(s) sent to socket

Your [o365-smtp] service requests the peer certificate and verify the 
peer certificate chain, so you should send the client certificate.

# openssl s_client -starttls smtp -connect localhost:50025 -cert mycert.pem

Regards

• Previous message (by thread): [stunnel-users] Creating tunnel to smtp.office365.com:587
• Next message (by thread): [stunnel-users] Creating tunnel to smtp.office365.com:587
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]