The direction is mail sent from an external email address to stunnel (running on google cloud) for delivery to a postfix mailbox running on a local network.
I posted this question on serverfault ( https://serverfault.com/questions/1145279/stunnel-smtp-tls-frontend-server-proxy-for-remote-backend-postfix), and someone said the problem may be either stunnel strips the ip and/or the the sender is trying to switch to TLS on postfix, not realizing the TLS connection has already been made by stunnel. On Sat, Oct 7, 2023 at 9:22 AM Stewart Anderson <[email protected]> wrote: > Client and server will both negotiate SSL. Your server mode is presenting > a certificate. > > It's not clear from your config /text which direction your traffic is > going !! > > If it's incoming from Google to your postfix server then server mode is > correct. Stunnel will negotiate the SSL and then forward to postfix in > clear. If the handshake isn't happening, have you put Google's cert in > your CA certs somewhere? > > What confuses it for me is the Google internal IP reference. If you are > getting traffic from Google then stunnel would need to be accepting on the > host where stunnel is, so only a port is required in the accept. This can > be on a machine in your DMZ or behind a firewall, e.g. on or close to your > postfix server. > > Hope that helps. > > > > > Stewart > [email protected] > > On 6 October 2023 05:51:14 "[email protected]" < > [email protected]> wrote: > > I'm running stunnel in server mode and listening on port 587 and trying to >> connect to a remote postfix server running on port 25. >> >> NB: the two servers are connected via zerortier, which may or may no be >> relevant to the issue. >> >> DEBUG = 7 >> >> [ssmtp] >> protocol = smtp >> accept = google_cloud_internal_ip:587 >> connect = remote_zerotier_postfix_ip:25 >> cert = /etc/stunnel/domain.pem >> >> I thought this would set up stunnel to handle the TLS handshake and >> terminate the TLS connection, while proxing to the backend postfix server >> without requiring postfix to worry about TLS. But I'm getting LOG3[0]: >> STARTTLS expected when stunnel tries to connect to postfix. If I put >> stunnel in client mode, then it doesn't negotiate the incoming TLS >> (right?). >> >> What am I missing? >> _______________________________________________ >> stunnel-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > -- James Thornton, *http://electricspeed.com <http://electricspeed.com>*
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
