0

Hi ServerFault community,

I have posted this to the stunnel-users mailing list on 30 April 2018 and again on 16 May 2018 at https://www.stunnel.org/pipermail/stunnel-users/2018-April/006000.html, unfortunately no one there seems to know the answer, so now I am trying my luck with the experts here.

The following is a verbatim quote from the mail to the mailing list.

Hi List,

I have just joined the stunnel community.

I am in the process of migrating our mailserver's public facing ports to stunnel for PCI compliance reasons.

So far i have managed to get working:

  • imap (143/tcp) with starttls
  • imaps (993/tcp)
  • pop3 (110/tcp) with starttls
  • pop3s (995/tcp)

My trouble is with smtp(25/tcp,587/tcp) with starttls.

I have now tried a couple different mail clients and everyone of them tells me that the server does not support the authentication protocols.

I have installed stunnel 5.44. Tee relevant parts in my config:

[mail2-imap]
protocol = imap
accept = 143
connect = <mail-fqdn>:143

[mail2-imaps]
accept = 993
connect = <mail-fqdn>:143

[mail2-pop3]
protocol = pop3
accept = 110
connect = <mail-fqdn>:110
[mail2-pop3s]
accept = 995
connect = <mail-fqdn>:110

[mail2-smtp]
protocol = smtp
accept = 25
connect = <mail-fqdn>:25

[mail2-smtps]
accept = 465
connect = <mail-fqdn>:465

[mail2-smtps-submission]
debug = 7
protocol = smtp
accept = 587
connect = <mail-fqdn>:587

In the logfile I have the following entries upon connecting

2018.04.30 09:20:50 LOG7[5]: Service [mail2-smtps-submission] started
2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on local socket
2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] accepted connection from 41.13.8.49:56890
2018.04.30 09:20:50 LOG6[5]: s_connect: connecting 10.10.11.2:587
2018.04.30 09:20:50 LOG7[5]: s_connect: s_poll_wait 10.10.11.2:587: waiting 10 seconds
2018.04.30 09:20:50 LOG5[5]: s_connect: connected 10.10.11.2:587
2018.04.30 09:20:50 LOG5[5]: Service [mail2-smtps-submission] connected remote server from 10.10.11.11:42466
2018.04.30 09:20:50 LOG7[5]: Option TCP_NODELAY set on remote socket
2018.04.30 09:20:50 LOG7[5]: Remote descriptor (FD=23) initialized
2018.04.30 09:20:50 LOG7[5]: RFC 2487 detected
2018.04.30 09:20:50 LOG7[5]:  <- 220 <mail-fqdn> ESMTP Postfix
2018.04.30 09:20:50 LOG7[5]:  -> 220 <mail-fqdn> stunnel for ESMTP Postfix
2018.04.30 09:20:51 LOG7[5]:  <- EHLO [100.125.153.220]
2018.04.30 09:20:51 LOG7[5]:  -> 250-<mail-fqdn>
2018.04.30 09:20:51 LOG7[5]:  -> 250 STARTTLS
2018.04.30 09:20:51 LOG7[5]:  <- STARTTLS
2018.04.30 09:20:51 LOG7[5]:  -> 220 Go ahead
2018.04.30 09:20:51 LOG6[5]: Peer certificate not required
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): before/accept initialization
2018.04.30 09:20:51 LOG7[5]: SNI: no virtual services defined
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client hello A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server hello A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write certificate A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write key exchange A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 write server done A
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 flush data
2018.04.30 09:20:51 LOG7[5]: TLS state (accept): SSLv3 read client certificate A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read client key exchange A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read certificate verify A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 read finished A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write change cipher spec A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 write finished A
2018.04.30 09:20:52 LOG7[5]: TLS state (accept): SSLv3 flush data
2018.04.30 09:20:52 LOG7[5]: New session callback
2018.04.30 09:20:52 LOG7[5]:      2 server accept(s) requested
2018.04.30 09:20:52 LOG7[5]:      2 server accept(s) succeeded
2018.04.30 09:20:52 LOG7[5]:      0 server renegotiation(s) requested
2018.04.30 09:20:52 LOG7[5]:      0 session reuse(s)
2018.04.30 09:20:52 LOG7[5]:      2 internal session cache item(s)
2018.04.30 09:20:52 LOG7[5]:      0 internal session cache fill-up(s)
2018.04.30 09:20:52 LOG7[5]:      0 internal session cache miss(es)
2018.04.30 09:20:52 LOG7[5]:      0 external session cache hit(s)
2018.04.30 09:20:52 LOG7[5]:      0 expired session(s) retrieved
2018.04.30 09:20:52 LOG6[5]: TLS accepted: new session negotiated
2018.04.30 09:20:52 LOG6[5]: No peer certificate received
2018.04.30 09:20:52 LOG6[5]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2018.04.30 09:20:52 LOG7[5]: Compression: null, expansion: null
2018.04.30 09:20:52 LOG6[5]: Read socket closed (read hangup)
2018.04.30 09:20:52 LOG7[5]: Sending close_notify alert
2018.04.30 09:20:52 LOG7[5]: TLS alert (write): warning: close notify
2018.04.30 09:20:52 LOG6[5]: SSL_shutdown successfully sent close_notify alert
2018.04.30 09:20:52 LOG6[5]: TLS fd: Connection reset by peer (104)
2018.04.30 09:20:52 LOG6[5]: TLS socket closed (SSL_read)
2018.04.30 09:20:52 LOG7[5]: Sent socket write shutdown
2018.04.30 09:20:52 LOG5[5]: Connection closed: 156 byte(s) sent to TLS, 30 byte(s) sent to socket
2018.04.30 09:20:52 LOG7[5]: Remote descriptor (FD=23) closed
2018.04.30 09:20:52 LOG7[5]: Local descriptor (FD=22) closed
2018.04.30 09:20:52 LOG7[5]: Service [mail2-smtps-submission] finished (4 left)

This is the error I am getting from K9-Mail K9-Mail Error

The google mail app just tells me: Google Mail Error

Alpine (linux commandline smtp client) Alpine Client Error

Any advise from the gurus?

Kind regards

I Coetzee
  • 3
  • 2
  • Do `:25` and `:587` successfully support SMTP authentication when you make a direct unencrypted connection to those services with those same mail clients? Or: is stunnel the problem or your mail server. (Also, rather than using stunnel to proxy traffic I would simply configure mail-fqdn that seems to be running Postfix directly with your certificates...) – HBruijn May 17 '18 at 07:14
  • Why do you use stunnel at all? Any currently supported SMTP server software can do TLS natively. Get rid of stunnel and configure the SMTP server. – Michael Hampton May 17 '18 at 08:01
  • Hi @MichaelHampton, I am using stunnel to setup a split horizon. The mail server still needs to be able to handle unencrypted, or reduced security connections from inside the network. HBruijn I can connect on SSL to the mailserver when the stunnel is out of the loop – I Coetzee May 17 '18 at 11:38
  • That's why there are separate ports for everything. It still doesn't make sense to use stunnel. – Michael Hampton May 17 '18 at 12:26
  • There is also the issue of the mail server not supporting anything above TLSv1 as well as the some of the end user mail clients not anything above SSLv3. The risk on both of these points will be mitigated by the forced use of a VPN connection for non-secure connections and connections through the stunnel is then used for access from the greater internet for secure mobile access – I Coetzee May 17 '18 at 12:53
  • *" I can connect on SSL to the mailserver when the stunnel is out of the loop"* - that is all fine and dandy, but as far as I can tell your stunnel configuration terminates the TLS connection and makes a non-SSL connection to your mailserver. Typically mailservers are configured to NOT allow authentication to take place when no SSL/TLS is used. – HBruijn May 17 '18 at 14:51
  • @HBruijn, yes I just tested and AUTH is not allowed on an unencrypted connection to the server, thank you for the pointer. – I Coetzee May 18 '18 at 06:35

2 Answers2

0

From your comments:

The problem is that your mail server is already configured with an SSL certificate and will therefore only allow SMTP authentication when it detects a secure encrypted connection.

As far as I can tell Your stunnel server terminates the secure connection a client makes and establishes a second, unencrypted, clear text smtp connection to your mail server.

The mail server then refuses to accept any authentication request made by the client because, as far as it can determine, otherwise the client will send their username and password over an insecure connection.

The problem is that stunnel is designed to convert clear text protocols to SSL secured and vice versa but what you want to do requires a “man in the middle” setup where you take an incoming SSL connection and create an outgoing SSL connection which requires some trickery

https://serverfault.com/a/247967/37681

HBruijn
  • 72,524
  • 21
  • 127
  • 192
0

Thanks to HBruijn for pointing me in the right direction.

I ended up doing the following, extracted from my config:

[mail2-smtp]
protocol = smtp
accept = 25
connect = localhost:26

[mail2-smtps]
accept = 465
connect = localhost:26

[mail2-smtp-submission]
protocol = smtp
accept = 587
connect = localhost:26

[mail2-smtp-ssl-client]
protocol = smtp
accept = 26
client = yes
connect = <mail-fqdn>:587

The key is the last part that establishes a secure connection to the mail server.

I Coetzee
  • 3
  • 2