Re: [stunnel-users] Creating tunnel to smtp.office365.com:587

Thu, 19 Jan 2017 02:41:36 -0800 

We have a number of hosts in private IP space that we'd like to be able
to send mail to smtp.office365.com:587 <http://smtp.office365.com:587>.
I'm trying to configure stunnel for this purpose.

What I'd like is to set up a stunnel instance on a server which will
accept TLS connections on port 50025. Stunnel will then connect to
smtp.office365.com:587 <http://smtp.office365.com:587> which also uses
TLS. How can I do this?

I am able to configure stunnel to accept my connection on 587, but the
connection is immediately closed (below). If I add client = yes, then I
just get:


aculver stunnel # egrep -v '^;|^$' stunnel.conf
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
setuid = nobody
setgid = nogroup
pid = /usr/local/var/run/stunnel/stunnel.pid
[o365-smtp]
accept = 50025
cert = /usr/local/etc/stunnel/stunnel.pem
connect = smtp.office365.com:587 <http://smtp.office365.com:587>
verifyChain = yes
CApath = /etc/ssl/certs
protocol = smtp

aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025
CONNECTED(00000003)
...
139954991064736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1263:SSL alert number 40
139954991064736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---


Hi Andrew,
I suggest you set the debugging stuff, it may be useful for troubleshooting:
debug = debug
output = /usr/local/var/log/stunnel.log
In the stunnel.log file, you can find all log messages from stunnel, I think in this case: 

2017.01.19 05:08:28 LOG7[10763]: TLS alert (write): fatal: handshake failure
2017.01.19 05:08:28 LOG3[10763]: SSL_accept: 140890C7: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate 2017.01.19 05:08:28 LOG5[10763]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Your [o365-smtp] service requests the peer certificate and verify the peer certificate chain, so you should send the client certificate. 

# openssl s_client -starttls smtp -connect localhost:50025 -cert mycert.pem

Regards

_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to