stunnel error - Security

This is a discussion on stunnel error - Security ; Hi, the firewall at our place does not allow to use port 25. My ISP does not use port 587 for smpt. Thats why I want to use stunnel to tunnel through our firewall to an external server. this is ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: stunnel error

  1. stunnel error

    Hi,
    the firewall at our place does not allow to use port 25. My ISP does not use
    port 587 for smpt. Thats why I want to use stunnel to tunnel through our
    firewall to an external server.

    this is the stunnel config at my computer:
    chroot = /var/run/stunnel/
    pid = /stunnel.pid
    setuid = stunnel
    setgid = stunnel
    debug = 7
    output = /var/log/stunnel.log
    client = yes

    [ssmtp]
    accept = 26
    connect = externalserver:465
    protocol = smtp


    this is the stunnel config at the external server:
    chroot = /var/run/stunnel
    pid = /stunnel.pid
    setuid = stunnel
    setgid = stunnel
    debug = 7
    output = /var/log/stunnel.log
    client = yes

    [ssmtp]
    accept = 465
    connect = isp-mailserver:25
    protocol = smtp

    These are the error messages I get:

    stunnel.log on my computer:
    -------------------------------
    2006.04.13 09:46:36 LOG5[25939:3086329536]: Received signal 15;
    terminating
    2006.04.13 09:46:36 LOG7[25939:3086329536]: removing pid
    file /stunnel.pid
    2006.04.13 09:46:55 LOG5[25957:3086816960]: stunnel 4.08 on
    i386-redhat-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7f 22
    Mar 2005
    2006.04.13 09:46:55 LOG7[25957:3086816960]: Snagged 64 random bytes
    from /root/.rnd
    2006.04.13 09:46:55 LOG7[25957:3086816960]: Wrote 1024 new random bytes
    to /root/.rnd
    2006.04.13 09:46:55 LOG7[25957:3086816960]: RAND_status claims
    sufficient entropy for the PRNG
    2006.04.13 09:46:55 LOG6[25957:3086816960]: PRNG seeded successfully
    2006.04.13 09:46:55 LOG6[25957:3086816960]: file ulimit = 1024 (can be
    changed with 'ulimit -n')
    2006.04.13 09:46:55 LOG6[25957:3086816960]: poll() used - no FD_SETSIZE
    limit for file descriptors
    2006.04.13 09:46:55 LOG5[25957:3086816960]: 500 clients allowed
    2006.04.13 09:46:55 LOG7[25957:3086816960]: FD 4 in non-blocking mode
    2006.04.13 09:46:55 LOG7[25957:3086816960]: FD 5 in non-blocking mode
    2006.04.13 09:46:55 LOG7[25957:3086816960]: FD 6 in non-blocking mode
    2006.04.13 09:46:55 LOG7[25957:3086816960]: SO_REUSEADDR option set on
    accept socket
    2006.04.13 09:46:55 LOG7[25957:3086816960]: ssmtp bound to 0.0.0.0:26
    2006.04.13 09:46:55 LOG7[25958:3086816960]: Created pid
    file /stunnel.pid
    2006.04.13 09:47:04 LOG7[25958:3086816960]: ssmtp accepted FD=7 from
    127.0.0.1:44673
    2006.04.13 09:47:04 LOG7[25958:3086816960]: FD 7 in non-blocking mode
    2006.04.13 09:47:04 LOG7[25958:3086814128]: ssmtp started
    2006.04.13 09:47:04 LOG5[25958:3086814128]: ssmtp connected from
    127.0.0.1:44673
    2006.04.13 09:47:04 LOG7[25958:3086814128]: FD 8 in non-blocking mode
    2006.04.13 09:47:04 LOG7[25958:3086814128]: ssmtp connecting
    192.168.2.103:465
    2006.04.13 09:47:04 LOG7[25958:3086814128]: connect_wait: waiting 10
    seconds
    2006.04.13 09:47:04 LOG7[25958:3086814128]: connect_wait: connected
    2006.04.13 09:47:04 LOG7[25958:3086814128]: Remote FD=8 initialized
    2006.04.13 09:47:04 LOG5[25958:3086814128]: Negotiations for smtp
    (client side) started
    2006.04.13 09:47:04 LOG7[25958:3086814128]: *<- 220 isp-mailserver
    ESMTP Arcor-IP..
    2006.04.13 09:47:04 LOG7[25958:3086814128]: *-> 220 isp-mailserver
    ESMTP Arcor-IP..
    2006.04.13 09:47:04 LOG7[25958:3086814128]: *-> EHLO localhost
    2006.04.13 09:47:04 LOG3[25958:3086814128]: readsocket (fdscanf):
    Connection reset by peer (104)
    2006.04.13 09:47:04 LOG5[25958:3086814128]: Protocol negotiation failed
    2006.04.13 09:47:04 LOG3[25958:3086814128]: Protocol negotiations failed
    2006.04.13 09:47:04 LOG7[25958:3086814128]: ssmtp finished (0 left)

    stunnel.log on the external server:
    ------------------------------

    2006.04.13 09:43:53 LOG5[10696:3086755520]: stunnel 4.08 on
    i386-redhat-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7f 22
    Mar 2005
    2006.04.13 09:43:53 LOG7[10696:3086755520]: Snagged 64 random bytes
    from /root/.rnd
    2006.04.13 09:43:53 LOG7[10696:3086755520]: Wrote 1024 new random bytes
    to /root/.rnd
    2006.04.13 09:43:53 LOG7[10696:3086755520]: RAND_status claims
    sufficient entropy for the PRNG
    2006.04.13 09:43:53 LOG6[10696:3086755520]: PRNG seeded successfully
    2006.04.13 09:43:53 LOG6[10696:3086755520]: file ulimit = 1024 (can be
    changed with 'ulimit -n')
    2006.04.13 09:43:53 LOG6[10696:3086755520]: poll() used - no FD_SETSIZE
    limit for file descriptors
    2006.04.13 09:43:53 LOG5[10696:3086755520]: 500 clients allowed
    2006.04.13 09:43:53 LOG7[10696:3086755520]: FD 4 in non-blocking mode
    2006.04.13 09:43:53 LOG7[10696:3086755520]: FD 5 in non-blocking mode
    2006.04.13 09:43:53 LOG7[10696:3086755520]: FD 6 in non-blocking mode
    2006.04.13 09:43:53 LOG7[10696:3086755520]: SO_REUSEADDR option set on
    accept socket
    2006.04.13 09:43:53 LOG7[10696:3086755520]: ssmtp bound to 0.0.0.0:465
    2006.04.13 09:43:53 LOG7[10697:3086755520]: Created pid
    file /stunnel.pid
    2006.04.13 09:44:37 LOG7[10697:3086755520]: ssmtp accepted FD=7 from
    192.168.2.108:43217
    2006.04.13 09:44:37 LOG7[10697:3086755520]: FD 7 in non-blocking mode
    2006.04.13 09:44:37 LOG7[10697:3086900144]: ssmtp started
    2006.04.13 09:44:37 LOG5[10697:3086900144]: ssmtp connected from
    192.168.2.108:43217
    2006.04.13 09:44:37 LOG7[10697:3086900144]: FD 8 in non-blocking mode
    2006.04.13 09:44:37 LOG7[10697:3086900144]: ssmtp connecting
    145.253.2.14:25
    2006.04.13 09:44:37 LOG7[10697:3086900144]: connect_wait: waiting 10
    seconds
    2006.04.13 09:44:37 LOG7[10697:3086900144]: connect_wait: connected
    2006.04.13 09:44:37 LOG7[10697:3086900144]: Remote FD=8 initialized
    2006.04.13 09:44:37 LOG5[10697:3086900144]: Negotiations for smtp
    (client side) started
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 220 isp-mailserver
    ESMTP Arcor-IP.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *-> 220 isp-mailserver
    ESMTP Arcor-IP.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *-> EHLO localhost
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-isp-mailserver.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-PIPELINING.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-SIZE 58573455.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-VRFY.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-ETRN.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-AUTH LOGIN CRAM-MD5
    PLAIN.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250-AUTH=LOGIN CRAM-MD5
    PLAIN.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 250 8BITMIME.
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *-> STARTTLS
    2006.04.13 09:44:37 LOG7[10697:3086900144]: *<- 502 Error: command not
    implemented.
    2006.04.13 09:44:37 LOG3[10697:3086900144]: Remote server is not RFC
    2487 compliant
    2006.04.13 09:44:37 LOG5[10697:3086900144]: Protocol negotiation failed
    2006.04.13 09:44:37 LOG3[10697:3086900144]: Protocol negotiations failed
    2006.04.13 09:44:37 LOG7[10697:3086900144]: ssmtp finished (0 left)

    The externel server and my computer run Fedora core 4.

    Does anybody understand what's wrong here?

    Thanks in advance

    Sten

  2. Re: stunnel error

    Sten Sture wrote:

    > Hi,
    > the firewall at our place does not allow to use port 25. My ISP does not
    > use port 587 for smpt. Thats why I want to use stunnel to tunnel through
    > our firewall to an external server.
    >
    > this is the stunnel config at my computer:
    > chroot = /var/run/stunnel/
    > pid = /stunnel.pid
    > setuid = stunnel
    > setgid = stunnel
    > debug = 7
    > output = /var/log/stunnel.log
    > client = yes
    >
    > [ssmtp]
    > accept = 26
    > connect = externalserver:465
    > protocol = smtp
    >
    >
    > this is the stunnel config at the external server:
    > chroot = /var/run/stunnel
    > pid = /stunnel.pid
    > setuid = stunnel
    > setgid = stunnel
    > debug = 7
    > output = /var/log/stunnel.log
    > client = yes
    >
    > [ssmtp]
    > accept = 465
    > connect = isp-mailserver:25
    > protocol = smtp
    >


    Both ends can't be a client. I think you're getting confused about TLS too.

    There's no need to use stunnel - if your local MTA can't send across a
    non-standard port then you could use someting like tcpxd to forward it
    (IIRC it's possible with just iptables - but not trivial). You could do it
    with Stunnel - but you need to run the server end as a server (not a
    client).

    HTH

    C.

+ Reply to Thread