OS 13.2 - Openssl Stunnel behaviour

Hello.

[LEFT]I am trying to install POSTFIX. Encountering a few problems, I was led to make some tests using different softwares, and/or commands from command line. I was led to modify the configuration of POSTFIX .

That being said, here is my question:

Why openssl has a different behavior depending on whether you will connect directly to an smtp server or passing by stunnel.

[/LEFT]

1°) Adding services so they appear in yast2 firewall config ( more confortable )
/etc/services

free-fr-tunl-465   13123/tcp    # [JCD] - Free.fr Tunnel for postfix
free-fr-tunl-465   13123/udp    # [JCD] - Free.fr Tunnel for postfix
free-fr-tunl-587   13124/tcp    # [JCD] - Free.fr Tunnel for postfix
free-fr-tunl-587   13124/udp    # [JCD] - Free.fr Tunnel for postfix

2°) Open port with yast2 firewall module

FW_CONFIGURATIONS_EXT="FW_CONFIGURATIONS_EXT="apache2 apache2-ssl bacula-dir bacula-fd bacula-sd dhcp-server dnsmasq-dhcp dnsmasq-dns **dovecot smtp sshd** mysql"

FW_SERVICES_ACCEPT_EXT=".............
192.168.130.0/24,tcp,13123
192.168.130.0/24,udp,13123
192.168.130.0/24,tcp,13124
192.168.130.0/24,udp,13124
........................"

3°) Allow services in hosts.allow
/etc/hosts.allow

free-fr-tunl-465 : 192.168.130. : allow
free-fr-tunl-465 : 127.0.0. : allow
free-fr-tunl-587 : 192.168.130. : allow
free-fr-tunl-587 : 127.0.0. : allow

4°) Configure stunnel as simple as possible as client mode
/etc/stunnel/stunnel.conf

debug = 7

[smtp465-wrapper-free-fr]
    accept = 127.0.0.1:13123
    client = yes
    connect = smtp.free.fr:465

[smtp587-wrapper-free-fr]
    accept = 127.0.0.1:13124
    client = yes
    connect = smtp.free.fr:587

Test with telnet direct

hostname-1:~ # **telnet smtp.free.fr 587**
Trying 212.27.48.4...
Connected to smtp.free.fr.
Escape character is '^]'.
220 smtp4-g21.free.fr ESMTP Postfix
**ehlo hostname-1**
250-smtp4-g21.free.fr
250-PIPELINING
250-SIZE 35000000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
**quit**
221 2.0.0 Bye
Connection closed by foreign host.
hostname-1:~ # 

Test with telnet via stunnel

hostname-1:~ # **telnet 127.0.0.1 13124**
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
hostname-1:~ # 

journalctl

Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[7425]: Service [smtp587-wrapper-free-fr] accepted (FD=3) from 127.0.0.1:33443
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: Service [smtp587-wrapper-free-fr] started
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG5[8019]: Service [smtp587-wrapper-free-fr] accepted connection from 127.0.0.1:33443
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG6[8019]: s_connect: connecting 2a01:e0c:1::25:587
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG3[8019]: s_connect: connect 2a01:e0c:1::25:587: Network is unreachable (101)
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG6[8019]: s_connect: connecting 212.27.48.4:587
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: s_connect: s_poll_wait 212.27.48.4:587: waiting 10 seconds
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG5[8019]: s_connect: connected 212.27.48.4:587
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG5[8019]: Service [smtp587-wrapper-free-fr] connected remote server from 192.168.130.123:47313
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: Remote socket (FD=11) initialized
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG6[8019]: SNI: sending servername: smtp.free.fr
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: SSL state (connect): before/connect initialization
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: SSL state (connect): SSLv2/v3 write client hello A
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG3[8019]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG5[8019]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: Remote socket (FD=11) closed
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: Local socket (FD=3) closed
Apr 27 18:32:02 hostname-1 stunnel[7425]: LOG7[8019]: Service [smtp587-wrapper-free-fr] finished (0 left)

test with openssl direct

hostname-1:~ # **openssl s_client  -starttls smtp -crlf -connect** smtp.free.fr:587           
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = nQtaqFGM8HSdU/WcWEz/5kf53ZC1rh0j, OU = GT42558204, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.free.fr
verify return:1
---
Certificate chain
 0 s:/serialNumber=nQtaqFGM8HSdU/WcWEz/5kf53ZC1rh0j/OU=GT42558204/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.free.fr
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFITCCBAmgAwIBAgIDC85PMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwNDI3MTUwMjIyWhcNMTUwNjMwMTMxMzM4WjCBuDEpMCcGA1UEBRMgblF0
YXFGR004SFNkVS9XY1dFei81a2Y1M1pDMXJoMGoxEzARBgNVBAsTCkdUNDI1NTgy
MDQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRIwEAYDVQQDDAkqLmZyZWUuZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDFyk2w/comGiPTmjaAW+9aw+15WMw1GEgM9ONfdrXYTcCE8paq
6cEY9Xzdqa5icfG7K+9iuIM3HxFdROtsaSES8F1s2Gxf0FHb383/rFrYSp8A4PLz
fJLzoL4fp2bLDPWNhwQ9zon6Zw/dC5CiN1NcR2mOZ0ev5YVtpl2tPDOLyDXbYkSm
MdS8TlN5X5bUIStaeB1iKTajZZi0eAZfsKhU3PEiBKZY2CmB/QSpKy0EwcimlOl2
Um7uayukbtd393DKm8syzhjmhujPXnWOrYpVzliQkcXwNpHAKvTvsR8d8UWX8STB
PYeQX/irRq3hyZ6vFL54fAZzZf8+t0z1sPO/AgMBAAGjggGtMIIBqTAfBgNVHSME
GDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdEQQWMBSCCSouZnJlZS5mcoIH
ZnJlZS5mcjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vcmFwaWRzc2wtY3JsLmdl
b3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNVHQ4EFgQUhU3IUkDnjRGJ
lUcXm7W+9tQHJcgwDAYDVR0TAQH/BAIwADB4BggrBgEFBQcBAQRsMGowLQYIKwYB
BQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3RydXN0LmNvbTA5BggrBgEF
BQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVzdC5jb20vcmFwaWRzc2wu
Y3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRw
Oi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBBQUA
A4IBAQBX7GfK7mD7BNEPuEpSIfQZRpsmoMn85PwhVuXYX8fPiwhOwjxNWpfKqg8L
rT4ZJ6FYaTJUp8B//F03UPQW35IUpTgxtHARohJo479gxOjUNwlgAv6H+rUu/4R0
bd3LgIADaGL0akMPz619Iat5Ad/y6gIQgW/CGZhW3iNZepQpB8yjBbcQwsq8QSmS
r+RsZlXEdshdTS5aed4surS2Phlc+VCcJ69YGEaFg4+Q3Kjju1RdRVA3CUIezSV+
xA0Xds2pC3J+2LnOpSuzHWD1zucm6DijUiQBqyOycyP5yf+pZ0g22D4FFgXSPWjA
jKx7p0RggWlefkbTPOeINw/Mhp6F
-----END CERTIFICATE-----
subject=/serialNumber=nQtaqFGM8HSdU/WcWEz/5kf53ZC1rh0j/OU=GT42558204/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.free.fr
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3201 bytes and written 422 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0AFC0E0DD9DD3EEDDB57BF38203A8B18C1605DB3B834FD7839AA1DE44BC050A6
    Session-ID-ctx: 
    Master-Key: DF0AEF6344ECE46394F5FD08948E1F10621CB7A10CB055739D4B561087F6686FD9314F38F08B37400CB45488772665DF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 84 b6 02 7e 45 bc e8 cc-3b c2 20 b4 a9 ea 0a 5e   ...~E...;. ....^
    0010 - d9 13 e2 51 17 c7 1b 4f-ad bf 48 94 52 5a 41 a5   ...Q...O..H.RZA.
    0020 - bc 56 96 72 f2 e1 04 72-c6 ac b7 c4 13 29 2d c7   .V.r...r.....)-.
    0030 - 13 76 8b 97 e7 6b 2c 97-ad 35 fe 5a af e3 5c fe   .v...k,..5.Z..\.
    0040 - e5 e9 6c 7b 17 b3 f4 b4-0c 65 78 42 cc 1e cd 50   ..l{.....exB...P
    0050 - 25 37 75 81 77 ec b6 e5-5e 1b ed 4b 1f 2a 8e 8e   %7u.w...^..K.*..
    0060 - 7b ac 71 02 4d f2 af f9-08 9d 21 aa 8c 96 13 37   {.q.M.....!....7
    0070 - 1b dd 7e 97 a4 cc e0 32-fa 0f 85 c5 e1 b8 7b 35   ..~....2......{5
    0080 - c0 69 c6 0b 19 05 ab 9e-5f c0 8d 7b 82 4a 64 d5   .i......_..{.Jd.
    0090 - 32 b8 24 a7 4b 66 6b 14-c6 4b 27 8a b7 8c 24 e2   2.$.Kfk..K'...$.

    Start Time: 1430152708
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
**ehlo hostname-1**
250-smtp4-g21.free.fr
250-PIPELINING
250-SIZE 35000000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
**quit**
221 2.0.0 Bye
closed
hostname-1:~ #

Test with openssl via stunnel

hostname-1:~ # **openssl s_client  -starttls smtp -crlf -connect 127.0.0.1:13124**
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
hostname-1:~ # 

journalctl

Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[7425]: Service [smtp587-wrapper-free-fr] accepted (FD=3) from 127.0.0.1:33468
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: Service [smtp587-wrapper-free-fr] started
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG5[8184]: Service [smtp587-wrapper-free-fr] accepted connection from 127.0.0.1:33468
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG6[8184]: s_connect: connecting 212.27.48.4:587
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: s_connect: s_poll_wait 212.27.48.4:587: waiting 10 seconds
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG5[8184]: s_connect: connected 212.27.48.4:587
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG5[8184]: Service [smtp587-wrapper-free-fr] connected remote server from 192.168.130.123:47338
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: Remote socket (FD=11) initialized
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG6[8184]: SNI: sending servername: smtp.free.fr
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: SSL state (connect): before/connect initialization
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: SSL state (connect): SSLv2/v3 write client hello A
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG3[8184]: SSL_connect: 140770FC: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG5[8184]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: Remote socket (FD=11) closed
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: Local socket (FD=3) closed
Apr 27 18:46:24 hostname-1 stunnel[7425]: LOG7[8184]: Service [smtp587-wrapper-free-fr] finished (0 left)

Any help is welcome.

Although been awhile since I’ve used stunnel (and surprised it’s not currently in OSS… I hope you’re getting the version from the c/c++ repo instead of the private repos)

Am not sure if I understand correctly what you’re doing with stunnel…
Are you really trying to run an openSSL connection inside stunnel?
If so, that’s a new one for me.
The whole purpose of stunnel is to be able to wrap SSL around any protocol, even when the protocol being wrapped doesn’t ordinarily support native encryption. So, it seems to me you should be tunneling unencrypted SMTP within stunnel whereas I think you’re trying to wrap an encrypted SMTP within stunnel. If you’re really trying to do what I think you are trying to do, you’d have to unwrap the SSL on the Server side in separate layered steps in the opposite order it was wrapped (ie First stunnel, then your encrypted SSL). Your error leads me to suspect your stunnel and payload has confused the Server and is looking for the wrong SSL cert in the wrong location.

TSU

A question of importance/curiosity: Are you re-installing postfix, or simply configuring it? If you’re re-installing it, from where are you installing it from - an official repository for your version of openSUSE, or from somewhere else on the internet?

It was dropped back in 11.1 I think, no one wanted to maintain it.

I was just following this : http://www.postfix.org/TLS_README.html#client_smtps

Any way, I have change my mind and try to use directly (without stunnel) port 587 ( submission ) at my ISP.

It is a first install.

Any way I changed my mind and for the moment don’t continue with stunnel.

For the reason I used stunnel, as I said in response to Tsu, you can look at : http://www.postfix.org/TLS_README.html#client_smtps

You might notice that stunnel is recommended only if you are using a very old version of Postfix and to my eye the smtp traffic passed to stunnel isn’t encrypted.

BTW - Your link contains another link to a very useful, informative and likely relevant document
SOHO_README

TSU