[stunnel-users] Re: stunnel smtp tls frontend server/proxy for remote backend postfix

Mon, 09 Oct 2023 01:48:00 -0700
So if both sides can do TLS natively, why the need for stunnel? Not saying you shouldn't, just asking..... 

Do you control the postfix side?




------ Original Message ------

From "James Thornton" <ja...@jamesthornton.com>

To "Stewart Anderson" <stuson_2...@yahoo.co.uk>; 
stunnel-users@stunnel.org

Date 09/10/2023 04:20:16

Subject [stunnel-users] Re: stunnel smtp tls frontend server/proxy for 
remote backend postfix



The direction is mail sent from an external email address to stunnel 
(running on google cloud) for delivery to a postfix mailbox running on 
a local network.



I posted this question on serverfault 
(https://serverfault.com/questions/1145279/stunnel-smtp-tls-frontend-server-proxy-for-remote-backend-postfix), 
and someone said the problem may be either stunnel strips the ip and/or 
the the sender is trying to switch to TLS on postfix, not realizing the 
TLS connection has already been made by stunnel.





On Sat, Oct 7, 2023 at 9:22 AM Stewart Anderson 
<stuson_2...@yahoo.co.uk> wrote:

Client and server will both negotiate SSL.  Your server mode is 
presenting a certificate.



It's not clear from your config /text which direction your traffic is 
going !!



If it's incoming from Google to your postfix server then server mode 
is correct.  Stunnel will negotiate the SSL and then forward to 
postfix in clear.  If the handshake isn't happening, have you put 
Google's cert in your CA certs somewhere?



What confuses it for me is the Google internal IP reference.  If you 
are getting traffic from Google then stunnel would need to be 
accepting on the host where stunnel is, so only a port is required in 
the accept.  This can be on a machine in your DMZ or behind a 
firewall, e.g. on or close to your postfix server.


Hope that helps.




Stewart
stuson_2...@yahoo.co.uk


On 6 October 2023 05:51:14 "ja...@jamesthornton.com" 
<ja...@jamesthornton.com> wrote:



I'm running stunnel in server mode and listening on port 587 and 
trying to connect to a remote postfix server running on port 25.



NB: the two servers are connected via zerortier, which may or may no 
be relevant to the issue.


DEBUG = 7

[ssmtp]
protocol = smtp
accept = google_cloud_internal_ip:587
connect = remote_zerotier_postfix_ip:25
cert = /etc/stunnel/domain.pem


I thought this would set up stunnel to handle the TLS handshake and 
terminate the TLS connection, while proxing to the backend postfix 
server without requiring postfix to worry about TLS. But I'm getting 
LOG3[0]: STARTTLS expected when stunnel tries to connect to postfix. 
If I put stunnel in client mode, then it doesn't negotiate the 
incoming TLS (right?).


What am I missing?
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org





--
James Thornton, http://electricspeed.com


Attachment:
stuson_2000@yahoo.co.uk.asc

Description: application/pgp-keys



Attachment:
pgpQ2QLeTKKLn.pgp

Description: PGP signature


_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org






















					Reply via email to