Hi Malgorzata, Thanks for your reply. It was not my intention to verify client certificates. I misunderstood verifyCheck = yes to mean it would verify the certificate of the server to which stunnel is connecting. I've removed this from my config and also enabled debug logging as you suggested.
I did some more playing around and managed to get it working by defining two services. The first service accepts TLS connections and connects to the second service running on a different port which then connects to Office 365. I've been able to send emails through Office 365 by pointing my Thunderbird at stunnel. Here's my config: setuid = nobody setgid = nogroup pid = /usr/local/var/run/stunnel/stunnel.pid debug = debug output = /usr/local/var/log/stunnel/stunnel.log [uwo2local] accept = 50025 cert = /usr/local/etc/stunnel/stunnel.pem connect = 52025 protocol = smtp [local2o365] client = yes accept = 127.0.0.1:52025 connect = smtp.office365.com:587 CApath = /etc/ssl/certs OCSPaia = yes protocol = smtp The one thing I'm wondering about is the checkHost option. Should I be adding checkHost = smtp.office365.com to verify the certificate of smtp.office365.com? Whenever I add this option, it tells me: [!] /usr/local/etc/stunnel/stunnel.conf:87: "checkHost = smtp.office365.com": Specified option name is not valid here Thanks, Andrew *Andrew Culver* System Administrator Information Technology Services <https://www.uwo.ca/its> University of Western Ontario <https://www.uwo.ca> e: [email protected] p: 519-661-2111 x80265 <15196612111,80265> cal: html <http://goo.gl/wVoDlo> | ics <http://goo.gl/ncUjV0> On Thu, Jan 19, 2017 at 5:40 AM, Małgorzata Olszówka <[email protected]> wrote: > We have a number of hosts in private IP space that we'd like to be able >> to send mail to smtp.office365.com:587 <http://smtp.office365.com:587>. >> I'm trying to configure stunnel for this purpose. >> >> What I'd like is to set up a stunnel instance on a server which will >> accept TLS connections on port 50025. Stunnel will then connect to >> smtp.office365.com:587 <http://smtp.office365.com:587> which also uses >> TLS. How can I do this? >> >> I am able to configure stunnel to accept my connection on 587, but the >> connection is immediately closed (below). If I add client = yes, then I >> just get: >> >> >> aculver stunnel # egrep -v '^;|^$' stunnel.conf >> ; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015 >> setuid = nobody >> setgid = nogroup >> pid = /usr/local/var/run/stunnel/stunnel.pid >> [o365-smtp] >> accept = 50025 >> cert = /usr/local/etc/stunnel/stunnel.pem >> connect = smtp.office365.com:587 <http://smtp.office365.com:587> >> verifyChain = yes >> CApath = /etc/ssl/certs >> protocol = smtp >> >> aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025 >> CONNECTED(00000003) >> ... >> 139954991064736:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert >> handshake failure:s3_pkt.c:1263:SSL alert number 40 >> 139954991064736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >> failure:s23_lib.c:177: >> --- >> >> Hi Andrew, > I suggest you set the debugging stuff, it may be useful for > troubleshooting: > debug = debug > output = /usr/local/var/log/stunnel.log > > In the stunnel.log file, you can find all log messages from stunnel, I > think in this case: > > 2017.01.19 05:08:28 LOG7[10763]: TLS alert (write): fatal: handshake > failure > 2017.01.19 05:08:28 LOG3[10763]: SSL_accept: 140890C7: error:140890C7:SSL > routines:ssl3_get_client_certificate:peer did not return a certificate > 2017.01.19 05:08:28 LOG5[10763]: Connection reset: 0 byte(s) sent to TLS, > 0 byte(s) sent to socket > > Your [o365-smtp] service requests the peer certificate and verify the peer > certificate chain, so you should send the client certificate. > > # openssl s_client -starttls smtp -connect localhost:50025 -cert mycert.pem > > Regards > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
