Hi everyone,
I have been working on defending against the POODLE bug for the past couple of weeks, and at the same time I have a Sophos UTM 120 firewall just installed, whereby this update popped up over the weekend: [cid:2ddc384e-3889-4c09-b55a-9c0519158332] With the new firewall installed, I was having a lot of issues connecting to Exchange Online using Stunnel 5.06 with the following config: # GLOBAL OPTIONS client = yes output = stunnel-log.txt debug = 7 taskbar = yes # SERVICE-LEVEL OPTIONS [SMTP Outgoing] #Accept connections on port 25 and send to Exchange Online on port 587 over TLS accept = 25 connect = smtp.office365.com:587 protocol = smtp ... when I realised that the smtp.office365.com was not supposed to be configured as a DNS Host, but instead should have been a DNS Group within the firewall. There are additional IPs for Exchange Online that MS published, and I included these in the firewall configuration. However, I spotted the following in stunnel's logs for a typical email being sent via the relay (highlighted in yellow): 2014.10.28 14:35:54 LOG7[4436]: Service [SMTP Outgoing] accepted (FD=476) from 127.0.0.1:61819 2014.10.28 14:35:54 LOG7[4436]: Creating a new thread 2014.10.28 14:35:54 LOG7[4436]: New thread created 2014.10.28 14:35:54 LOG7[4156]: Service [SMTP Outgoing] started 2014.10.28 14:35:54 LOG5[4156]: Service [SMTP Outgoing] accepted connection from 127.0.0.1:61819 2014.10.28 14:35:54 LOG6[4156]: s_connect: connecting 132.245.226.18:587 2014.10.28 14:35:54 LOG7[4156]: s_connect: s_poll_wait 132.245.226.18:587: waiting 10 seconds 2014.10.28 14:35:54 LOG5[4156]: s_connect: connected 132.245.226.18:587 2014.10.28 14:35:54 LOG5[4156]: Service [SMTP Outgoing] connected remote server from 192.168.200.104:61820 2014.10.28 14:35:54 LOG7[4156]: Remote socket (FD=488) initialized 2014.10.28 14:35:54 LOG7[4156]: <- 220 DB4PR03CA0002.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 28 Oct 2014 14:35:54 +0000 2014.10.28 14:35:54 LOG7[4156]: -> 220 DB4PR03CA0002.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 28 Oct 2014 14:35:54 +0000 2014.10.28 14:35:54 LOG7[4156]: -> EHLO localhost 2014.10.28 14:35:55 LOG7[4156]: <- 250-DB4PR03CA0002.outlook.office365.com Hello [87.198.240.73] 2014.10.28 14:35:55 LOG7[4156]: <- 250-SIZE 78643200 2014.10.28 14:35:55 LOG7[4156]: <- 250-PIPELINING 2014.10.28 14:35:55 LOG7[4156]: <- 250-DSN 2014.10.28 14:35:55 LOG7[4156]: <- 250-ENHANCEDSTATUSCODES 2014.10.28 14:35:55 LOG7[4156]: <- 250-STARTTLS 2014.10.28 14:35:55 LOG7[4156]: <- 250-8BITMIME 2014.10.28 14:35:55 LOG7[4156]: <- 250-BINARYMIME 2014.10.28 14:35:55 LOG7[4156]: <- 250 CHUNKING 2014.10.28 14:35:55 LOG7[4156]: -> STARTTLS 2014.10.28 14:35:55 LOG7[4156]: <- 220 2.0.0 SMTP server ready 2014.10.28 14:35:55 LOG6[4156]: SNI: sending servername: smtp.office365.com 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): before/connect initialization 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client hello A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server hello A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server certificate A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server key exchange A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server certificate request A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server done A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client certificate A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client key exchange A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write change cipher spec A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write finished A 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 flush data 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read finished A 2014.10.28 14:35:55 LOG7[4156]: 80 items in the session cache 2014.10.28 14:35:55 LOG7[4156]: 335 client connects (SSL_connect()) 2014.10.28 14:35:55 LOG7[4156]: 335 client connects that finished 2014.10.28 14:35:55 LOG7[4156]: 0 client renegotiations requested 2014.10.28 14:35:55 LOG7[4156]: 0 server connects (SSL_accept()) 2014.10.28 14:35:55 LOG7[4156]: 0 server connects that finished 2014.10.28 14:35:55 LOG7[4156]: 0 server renegotiations requested 2014.10.28 14:35:55 LOG7[4156]: 0 session cache hits 2014.10.28 14:35:55 LOG7[4156]: 0 external session cache hits 2014.10.28 14:35:55 LOG7[4156]: 0 session cache misses 2014.10.28 14:35:55 LOG7[4156]: 0 session cache timeouts 2014.10.28 14:35:55 LOG6[4156]: SSL connected: new session negotiated 2014.10.28 14:35:55 LOG6[4156]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption) 2014.10.28 14:35:55 LOG6[4156]: Compression: null, expansion: null 2014.10.28 14:35:58 LOG6[4156]: Read socket closed (readsocket) 2014.10.28 14:35:58 LOG7[4156]: Sending close_notify alert 2014.10.28 14:35:58 LOG7[4156]: SSL alert (write): warning: close notify 2014.10.28 14:35:58 LOG6[4156]: SSL_shutdown successfully sent close_notify alert 2014.10.28 14:35:58 LOG6[4156]: SSL socket closed (SSL_read) 2014.10.28 14:35:58 LOG7[4156]: Sent socket write shutdown 2014.10.28 14:35:58 LOG5[4156]: Connection closed: 22332 byte(s) sent to SSL, 615 byte(s) sent to socket 2014.10.28 14:35:58 LOG7[4156]: Remote socket (FD=488) closed 2014.10.28 14:35:58 LOG7[4156]: Local socket (FD=476) closed 2014.10.28 14:35:58 LOG7[4156]: Service [SMTP Outgoing] finished (0 left) Note that the emails are being generated on the same server (Windows Server 2008 R2, hosted on Hyper-V). I have a basic (shaky) understanding that the "handshake" for TLS does downgrade to SSLv3 if newer versions of TLS fail, but I am wondering if I apply the update recommended on the firewall, will this cut the communication for the SMTP relay, the way I am using it? However, I also see the TLSv1 ciphersuite being negotiated. Are there any other settings that I should be using in the .conf file? (I adapted a configuration from MessageOps a few years back.) Is this something I need to sort out with Microsoft's Office365 team? Maybe it's my lack of understanding of the log, but I thought I'd check with you guys first that the log file generated as above is OK (or not!). Thanks for taking the time-out top read this, and apologies for all the yellow. ;) Regards, Stephen ________________________________ [Mila Logo] Stephen Hogan | System Administrator | Mila Limited Kilbarrack Industrial Estate, Kilbarrack, Dublin 5, IRELAND Tel: +353 (0)1 839 0402 | Fax: +353 (0)1 839 0589 Email: [email protected] | Web: www.mila.ie Company Reg. No. 143406. Registered address: 24/26 City Quay, Dublin 2, Ireland. DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the attention and use of the individual or entity to whom they are addressed. No copyright or other intellectual rights to any material attached to this email, either inline or as an attachment are transferred to the recipient unless explicitly stated. If you have received this email in error please reply to inform us accordingly, prior to deleting the message.
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
