tmda-ofmipd works now. The solution was to add key = /path/to/private.key.file entry in stunnel.conf (in addition to cert = /path/to/certificate)
regards, Zoran Zoran Bosnjak pravi: >> * Make sure your email client is setup for TLS (not SSL.) > TLS, yes. > >> * Make sure stunnel is setup for TLS (not SSL). I think that's the >> default when proxying SMTP, and it should be how the config files that >> you found in TMDA's contrib directory were setup. > Don't know how to check > > my stunnel.conf is: > --- > exec = /usr/local/tmda/xinetd/tmda-ofmipd-starttls/tmda-ofmipd-wrapper > execargs = /usr/local/tmda/xinetd/tmda-ofmipd-starttls/tmda-ofmipd-wrapper > cert = /usr/local/tmda/xinetd/tmda-ofmipd-starttls/stunnel.pem > client = no > foreground = yes > protocol = smtp > --- > >> * I notice that your server signon message says this: >> >> 20 buco.home ESMTP tmda-ofmipd + stunnel >> >> I'll assume that the "20" is really "220" and that was just a typo. > It says "20", no typo! And I have no idea where does "+ stunnel" come from. > >> * Try using an SSL client application to manually talk to stunnel and >> see if that works: >> >> openssl s_client -connect localhost:8026 > This does not work. > It gives error: > socket: Connection refused > connect:errno=29 > > It does not trigger any log entry. > But the port is open. > [EMAIL PROTECTED] log]# nmap localhost -p 8026 > > Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2006-12-30 00:30 CET > Interesting ports on localhost.localdomain (127.0.0.1): > PORT STATE SERVICE > 8026/tcp open unknown > > Nmap finished: 1 IP address (1 host up) scanned in 0.023 seconds > > I have upgraded stunnel to latest version 4.20. It stil does not work, > however is different then in 4.15. > > --- > stunnel 4.15. Trying to connect from the client I get: > - client error message as mentioned before > - server log entry: > [EMAIL PROTECTED] log]# cat tmda-ofmipd-starttls-stunnel-wrapper > 2006.12.30 00:05:23 LOG5[16129:3086636736]: stunnel 4.15 on > i686-redhat-linux-gnu with OpenSSL 0.9.8b 04 May 2006 > 2006.12.30 00:05:23 LOG5[16129:3086636736]: Threading:PTHREAD SSL:ENGINE > Sockets:POLL,IPv6 Auth:LIBWRAP > 2006.12.30 00:05:23 LOG5[16129:3086636736]: stunnel connected from > 84.255.205.220:65041 > 2006.12.30 00:05:23 LOG5[16129:3086636736]: Negotiations for smtp > (server side) started > 2006.12.30 00:05:27 LOG3[16129:3086636736]: Unexpected socket close > (fdgetline) > 2006.12.30 00:05:27 LOG5[16129:3086636736]: Connection reset: 0 bytes > sent to SSL, 0 bytes sent to socket > > --- > stunnel 4.20 (same configuration). Trying to connect from the client I get: > - client error message: can not establish encripted connection, because > the certificate sent by ... is not valid or broken. error code: -8102. > (this is english translation from original popup) > - server log entry: > [EMAIL PROTECTED] log]# cat tmda-ofmipd-starttls-stunnel-wrapper > 2006.12.30 00:11:20 LOG5[16239:3086382784]: stunnel 4.20 on > i686-pc-linux-gnu with OpenSSL 0.9.8b 04 May 2006 > 2006.12.30 00:11:20 LOG5[16239:3086382784]: Threading:PTHREAD SSL:ENGINE > Sockets:POLL,IPv4 Auth:LIBWRAP > 2006.12.30 00:11:21 LOG5[16239:3086382784]: stunnel accepted connection > from 84.255.205.220:65043 > 2006.12.30 00:11:21 LOG5[16239:3086382784]: Negotiations for smtp > (server side) started > 2006.12.30 00:11:21 LOG5[16239:3086382784]: Protocol negotiations succeeded > 2006.12.30 00:11:22 LOG3[16239:3086382784]: SSL_accept: 14094416: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown > 2006.12.30 00:11:22 LOG5[16239:3086382784]: Connection reset: 0 bytes > sent to SSL, 0 bytes sent to socket > > I have used this command to generate certificate: > # openssl req -new -out stunnel.pem -keyout stunnel.pem -nodes -x509 > -days 365 > Is this correct? > What version of stunnel should I use? And what am I missing in > configuration? > > Zoran > > _____________________________________________ > tmda-users mailing list (tmda-users@tmda.net) > http://tmda.net/lists/listinfo/tmda-users > -- http://www.via.si _____________________________________________ tmda-users mailing list (tmda-users@tmda.net) http://tmda.net/lists/listinfo/tmda-users
