[stunnel-users] SMTP Authentication failed

Tue May 15 13:32:37 CEST 2018

Hi List,

Anyone with advise on this?

Kind regards

On 30 April 2018 at 11:44, Ian Coetzee <stunnel-users at iancoetzee.za.net>
wrote:

> Hi List,
>
> I have just joined the stunnel community.
>
> I am in the process of migrating our mailserver's public facing ports to
> stunnel for PCI compliance reasons.
>
> So far i have managed to get working:
>
> - imap (143/tcp) with starttls
> - imaps (993/tcp)
> - pop3 (110/tcp) with starttls
> - pop3s (995/tcp)
>
> My trouble is with smtp(25/tcp,587/tcp) with starttls.
>
> I have now tried a couple different mail clients and everyone of them
> tells me that the server does not support the authentication protocols.
>
> I have installed stunnel 5.44. Tee relevant parts in my config:
>
> [mail2-imap]
> protocol = imap
> accept = 143
> connect = <mail-fqdn>:143
>
> [mail2-imaps]
> accept = 993
> connect = <mail-fqdn>:143
>
> [mail2-pop3]
> protocol = pop3
> accept = 110
> connect = <mail-fqdn>:110
>
> [mail2-pop3s]
> accept = 995
> connect = <mail-fqdn>:110
>
> [mail2-smtp]
> protocol = smtp
> accept = 25
> connect = <mail-fqdn>:25
>
> [mail2-smtps]
> accept = 465
> connect = <mail-fqdn>:465
>
> [mail2-smtps-submission]
> debug = 7
> protocol = smtp
> accept = 587
> connect = <mail-fqdn>:587
>
> In the logfile I have the following entries upon connecting
>
> 2018.04.30 09:20:50 LOG7[5]: Service [mail2-smtps-submission] started
> 2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on local socket
> 2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] accepted
> connection from 41.13.8.49:56890
> 2018.04.30 09:20:50 LOG6[5]: s_connect: connecting 10.10.11.2:587
> 2018.04.30 09:20:50 LOG7[5]: s_connect: s_poll_wait 10.10.11.2:587:
> waiting 10 seconds
> 2018.04.30 09:20:50 LOG5[5]: s_connect: connected 10.10.11.2:587
> 2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] connected
> remote server from 10.10.11.11:42466
> 2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on remote socket
> 2018.04.30 09:20:50 LOG7[5]: Remote descriptor (FD=23) initialized
> 2018.04.30 09:20:50 LOG7[5]: RFC 2487 detected
> 2018.04.30 09:20:50 LOG7[5]:  <- 220 <mail-fqdn> ESMTP Postfix
> 2018.04.30 09:20:50 LOG7[5]:  -> 220 <mail-fqdn> stunnel for ESMTP Postfix
> 2018.04.30 09:20:51 LOG7[5]:  <- EHLO [100.125.153.220]
> 2018.04.30 09:20:51 LOG7[5]:  -> 250-<mail-fqdn>
> 2018.04.30 09:20:51 LOG7[5]:  -> 250 STARTTLS
> 2018.04.30 09:20:51 LOG7[5]:  <- STARTTLS
> 2018.04.30 09:20:51 LOG7[5]:  -> 220 Go ahead
> 2018.04.30 09:20:51 LOG6[5]: Peer certificate not required
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): before/accept
> initialization
> 2018.04.30 09:20:51 LOG7[5]: SNI: no virtual services defined
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client hello A
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server hello A
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write certificate A
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write key exchange A
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server done A
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 flush data
> 2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client
> certificate A
> 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read client key
> exchange A
> 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read certificate
> verify A
> 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read finished A
> 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write change cipher
> spec A
> 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write finished A
> 2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 flush data
> 2018.04.30 09:20:52 LOG7[5]: New session callback
> 2018.04.30 09:20:52 LOG7[5]:      2 server accept(s) requested
> 2018.04.30 09:20:52 LOG7[5]:      2 server accept(s) succeeded
> 2018.04.30 09:20:52 LOG7[5]:      0 server renegotiation(s) requested
> 2018.04.30 09:20:52 LOG7[5]:      0 session reuse(s)
> 2018.04.30 09:20:52 LOG7[5]:      2 internal session cache item(s)
> 2018.04.30 09:20:52 LOG7[5]:      0 internal session cache fill-up(s)
> 2018.04.30 09:20:52 LOG7[5]:      0 internal session cache miss(es)
> 2018.04.30 09:20:52 LOG7[5]:      0 external session cache hit(s)
> 2018.04.30 09:20:52 LOG7[5]:      0 expired session(s) retrieved
> 2018.04.30 09:20:52 LOG6[5]: TLS accepted: new session negotiated
> 2018.04.30 09:20:52 LOG6[5]: No peer certificate received
> 2018.04.30 09:20:52 LOG6[5]: Negotiated TLSv1.2 ciphersuite
> ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
> 2018.04.30 09:20:52 LOG7[5]: Compression: null, expansion: null
> 2018.04.30 09:20:52 LOG6[5]: Read socket closed (read hangup)
> 2018.04.30 09:20:52 LOG7[5]: Sending close_notify alert
> 2018.04.30 09:20:52 LOG7[5]: TLS alert (write): warning: close notify
> 2018.04.30 09:20:52 LOG6[5]: SSL_shutdown successfully sent close_notify
> alert
> 2018.04.30 09:20:52 LOG6[5]: TLS fd: Connection reset by peer (104)
> 2018.04.30 09:20:52 LOG6[5]: TLS socket closed (SSL_read)
> 2018.04.30 09:20:52 LOG7[5]: Sent socket write shutdown
> 2018.04.30 09:20:52 LOG5[5]: Connection closed: 156 byte(s) sent to TLS,
> 30 byte(s) sent to socket
> 2018.04.30 09:20:52 LOG7[5]: Remote descriptor (FD=23) closed
> 2018.04.30 09:20:52 LOG7[5]: Local descriptor (FD=22) closed
> 2018.04.30 09:20:52 LOG7[5]: Service [mail2-smtps-submission] finished (4
> left)
>
> This is the error I am getting from K9-Mail
>
>
> The google mail app just tells me:
>
>
> Alpine (linux commandline smtp client)
>
>
>
> Any advise from the gurus?
>
> Kind regards
> Ian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180515/63ebe453/attachment.html>