I think I’ve found a solution for the SMTP side. Try borgernet.com/?m=201209
I haven’t implemented it, but it looks very promising. Stunnel can be found with the software manager and installed.
Yup, that works. If you already have outgoing.verizon.net working you just have to configure stunnel (using smtp.verizon.net - not outgoing.verizon.net as documented there), and then change the relay host in main.cf. Oh, you also need to add an entry for localhost in saslpass.db and run postmap on it.
This has become The Job From Hell.
I plugged in the info from the Borgernet article:
client = yes
[smtps]
accept = 5000
connect = smtp.verizon.net:465
I tweaked main.cf to have the correct relayhost, created an entry in sasl_passwd and ran postmap on that, and changed the smtp_sasl_ lines. I restarted stunnel and…
Reading configuration from file /etc/stunnel/stunnel.confSnagged 64 random bytes from /dev/urandom
PRNG seeded successfully
/etc/stunnel/stunnel.pem: No such file or directory (2)
So I created a null stunnel.pem:
Reading configuration from file /etc/stunnel/stunnel.conf
Snagged 64 random bytes from /dev/urandom
PRNG seeded successfully
Wrong permissions on /etc/stunnel/stunnel.pem
Certificate: /etc/stunnel/stunnel.pem
Error reading certificate file: /etc/stunnel/stunnel.pem
error queue: 140DC009 : error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
Well duh - it’s not a real .pem file. So I commented out cert = /etc/stunnel/stunnel.pem in the .conf file and restarted stunnel again. No gripes this time.
I sent a message from another machine, with the mail sent to the machine I’m playing with (via an ssh session run under PuTTY under Win7) and the wheels fell off again.
status=bounced (host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Authentication Required (in reply to MAIL FROM command))
As best I can tell, something seems to be demanding the stunnel service authenticate itself.
The defaults under stunnel follow - note that verify is not enabled.
stunnel 4.36 on i586-suse-linux-gnu with OpenSSL 1.0.0k 5 Feb 2013
Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL, IPv6
Global options
debug = daemon.notice
pid = /var/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!aNULL:!eNULL:!SSLv2
curve = sect163r2
session = 300 seconds
stack = 65536 bytes
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
At this point I’m flat out of ideas.
That error has nothing to do with stunnel - that is an SMTP error. Go back to the stunnel configuration you had when you got this error. You can confirm that stunnel itself is working by just telnetting to port 5000 on localhost.
The problem is that you need an entry in saslpass. You likely already have this set up if you were using outgoing.verizion.net previously. The problem is that you have an entry for outgoing.verizon.net and now postfix things you’re connecting to localhost. So, just create another line in that file:
localhost user:pass
Then run postmap /etc/postfix/saslpass (or whatever the path to the file is). Then run postfix reload.
That will likely fix it.
Actually, BTDT.
Here’s /etc/stunnel/stunnel.conf (from the openSUSE verion of stunnel) with all comments pulled save the bit about tinygrams which, I assume, can’t hurt and might help avoid a problem.
client = yespid = /var/run/stunnel.pid
debug = 7
output = stunnel.log
# disable Nagle algorithm (a.k.a. tinygram prevention, see man 7 tcp)
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
cert = /etc/stunnel/stunnel.pem
[smtps]
accept = 5000
connect = smtp.verizon.net:465
Here’s /etc/postfix/sasl_password. I used portmap, of course. Usernames and passwords have been changed.
[localhost] user1:password
[smtp.verizon.net] VZCust:password
[outgoing.verizon.net] VZCust:password
To deal with the authentication issue, I did this to create /etc/stunnel/stunnel.pem.
openssl req -new -out stunnel.pem -keyout stunnel.pem -nodes -x509 -days 365
The command was lifted from https://www.wjsams.com/c/docs/Wiki/Ubuntu-SettingUpStunnel Much of the business of getting stunnel to respond to postfix doesn’t apply to openSUSE, but the openssl certificate command seems appropriate. NTL, I’m still tanking.
The rest of the system seems to be refusing the attempt to either create or use the tunnel; “we don’t know you - go away”.
I tried to use stunnel to talk to the old verizon smtp address: outgoing.verizon.net. That cratered, too.
main.cf relayhost is relayhost = [127.0.0.1]:5001 (5001 was used to avoid going to the smtp.verizon.net address via my port 5000). I used the localhost IP because localhost or localhost.mydomain both caused errors (another day’s mystery to solve).
stunnel.conf has
[smtp]
accept = 5001
connect = outgoing.verizon.net
sasl_passwd has
[127.0.0.1] user1:passwd
and postmap was used on sasl_passwd
Postfix and stunnel services were restarted. At that point I’d hoped that any outgoing mail would pass through stunnel and on to Verizon’s old SMTP server. With the exception of adding stunnel to the process of mailing something, using outgoing.verizon.net is where I started. No such luck. I get this in mail.log when I try to mail something via stunnel:
**lost connection with 127.0.0.1[127.0.0.1] while receiving the initial server greeting
**
What am I doing wrong??
I used the localhost IP because localhost or localhost.mydomain both caused errors (connect to localhost.mydomain.com[nnn.nnn.nnn.nnn]:5001: Connection refused).
I’d edit this into the above post but I timed out on the edit window (10m).
Sigh… localhost.mydomain.com should resolve to 127.0.0.1 but resolves to my real, outside world IP. Why?
Worse, replacing localhost.mydomain.com with just localhost gives this in mail.log:
delivery temporarily suspended: Host or domain name not found. Name service error for name=localhost type=AAAA: Host not found
For now, I’ll revert to using 127.0.0.1 in main.cf, etc. until I can figure out this problem.
Disregard the above post - why I used localhost.mydomain.com instead of localhost or localhost.localdomain is a brain burp, plain and simple. As soon as added .com, of course it’d resolve to my real IP. DOH. [/bangs head on wall]
All three posts above are… I wish I could delete them. They’re the product of flailing around without a clue.
I changed main.cf back to relayhost = [localhost]:5000 and restarted postfix. Stunnel.conf still has
[smtps]
accept = 5000
connect = smtp.verizon.net:465
mail.log shows the following when I try to send something out:
Aug 2 23:03:13 bar postfix/smtpd[19486]: connect from localhost::1]
Aug 2 23:03:13 bar postfix/smtpd[19486]: 2D312540542: client=localhost::1]
Aug 2 23:03:13 bar postfix/cleanup[19489]: 2D312540542: message-id=<51FC72F1.2010905@mydomain.com.com>
Aug 2 23:03:13 bar postfix/qmgr[19464]: 2D312540542: from=<myWin7box@mydomain.com>, size=1142, nrcpt=1 (queue active)
Aug 2 23:03:13 bar postfix/smtpd[19486]: disconnect from localhost::1]
Aug 2 23:03:13 bar postfix/smtp[19466]: warning: relayhost configuration problem
Aug 2 23:03:13 bar postfix/smtp[19466]: 2D312540542: to=<target@foo.com>, relay=none, delay=0.15, delays=0.1/0/0.05/0, dsn=4.3.5, status=deferred (Host or domain name not found. Name service error for name=localhost type=AAAA: Host not found)
It seems to me postfix doesn’t know localhost should resolve as 127.0.0.1. Or maybe stunnel isn’t working? I tried setting debug=7 (also, debug=debug - docs say that works) and defining the log file with output=/etc/stunnel/stunnel.log but the file isn’t filling with debugging info:9178164 -rw-rw-rw- 1 nogroup 0 Aug 2 23:27 stunnel.log (the owner is stunnel.nogroup)
Basta!
PROBLEM SOLVED!
The answer is sooooooo simple
Stunnel.conf had
[smtps]
accept = 5000
connect = smtp.verizon.net:465
That’s what was in my original source for a how-to. But that’s not how it works with postfix under openSUSE (at least with my main.cf). What should be there is
[smtp]
accept = 5000
connect = smtp.verizon.net:465
That is, the service I need to handle is smtp and not smtps. DOH!!!
Thanks to everyone for the patience and advice. A round of virtual beers on me!
Sigh… I misspoke. What I thought was a working solution turned out to be main.cf set back to the original configuration. But…THE PROBLEM REALLY IS FIXED!!!
The real fix is a change in sasl_passwd. Instead of [127.0.0.1] user1:password (where user1 is a local username in my system) the line should be [127.0.0.1]:5000 verizon.username:verizon_passwd As soon as I plugged that in, mail moved (and moves) as it should. Another part of the solution is I created a self-signed certificate with openssl, both for postfix and for stunnel. At this point, I’m not sure if one or the other certificate is extraneous. I’ll look into it later.
I forgot another, crucial, change - the service in stunnel.conf:
[smtp-tls-wrapper]
client = yes
accept = 5000
connect = smtp.verizon.net:465
This is used in place of smtp or smtps. Putting client=yes in the service definition is only a matter of style. It can also be at the top of stunnel.conf.
As an aside, postfix continues to be unable to resolve localhost as 127.0.0.1. I’d appreciate suggestions as to why this is so. For now I’ve hardwired the IP into the relayhost definition to avoid this problem.
He was having an stunnel issue with the pem file, but he fixed that. The specific problem I responded to was an SMTP problem.
I’m actually running on Gentoo, and didn’t have to mess around with pem files with the default stunnel.conf. Dealing with that likely just involves editing other lines in the configuration file, or generating a certificate.
Glad you finally got it working!
I’m glad it’s working, too! [/big grin]
I still haven’t played with who needs a .pem file. I pulled an all-nighter to get the stunnel thing running well enough for “production”. At this point, coherency isn’t one of my better skills - hence all of the extraneous posts full of babble. I’d pull 'em if I could. Anyway, messing with the .pem question is something I’ll leave for later.
FWIW, I have a few laptops floating around, all sending their emails, via an ssh tunnel, through one common machine (the one using stunnel). The reason for this is simple: more than once, I’ve signed onto a foreign (i.e., not one of my AP’s) WiFi site and been handed “you’re nobody I know, so forget mailing through port 25”. With the ssh tunnel and my mail server, I don’t care.