Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Starting stunnel with systemd.
989 views
Skip to first unread message
pe...@easthope.ca
Apr 23, 2023, 1:00:06 PM4/23/23
to
Hi,
After starting interactively, stunnel works.
To automate, this service file was created.
$ cat /etc/systemd/system/stunnel.service
[Unit]
Description=StunnelStarter
Documentation=man:stunnel(8)
After=network.target auditd.service
[Service]
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf foreground=yes
Restart=no
Type=simple
[Install]
WantedBy=multi-user.target
Alias=stunnel.service
After booting, no stunnel.
$ ps aux | grep stunnel
root 1463 0.0 0.0 6244 700 pts/0 S+ 09:31 0:00 grep
stunnel
$ systemctl status stunnel
* stunnel.service - StunnelStarter
Loaded: loaded (/etc/systemd/system/stunnel.service; enabled;
vendor preset: enabled)
Active: inactive (dead) since Sun 2023-04-23 08:52:52 PDT; 7min ago
Docs: man:stunnel(8)
Process: 572 ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
foreground=yes (code=exited, status=0/SUCCESS)
Main PID: 572 (code=exited, status=0/SUCCESS)
CPU: 13ms
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: Threading:PTHREAD
Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: Reading configuration
from file /etc/stunnel/stunnel.conf
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: UTF-8 byte order mark not
detected
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: FIPS mode disabledApr 23
08:52:52 imager stunnel[572]: LOG4[ui]: Service [pop3] needs
authenticati
on to prevent MITM attacks
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: Configuration successful
Apr 23 08:52:52 imager stunnel[584]: LOG5[main]: Terminated
Apr 23 08:52:52 imager stunnel[584]: LOG5[main]: Terminating 1 service
thread(s)
Apr 23 08:52:52 imager stunnel[584]: LOG5[main]: Service threads
terminated
Apr 23 08:52:52 imager systemd[1]: stunnel.service: Succeeded.
Terminated. Why?
Thanks, ... P.
After starting interactively, stunnel works.
To automate, this service file was created.
$ cat /etc/systemd/system/stunnel.service
[Unit]
Description=StunnelStarter
Documentation=man:stunnel(8)
After=network.target auditd.service
[Service]
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf foreground=yes
Restart=no
Type=simple
[Install]
WantedBy=multi-user.target
Alias=stunnel.service
After booting, no stunnel.
$ ps aux | grep stunnel
root 1463 0.0 0.0 6244 700 pts/0 S+ 09:31 0:00 grep
stunnel
$ systemctl status stunnel
* stunnel.service - StunnelStarter
Loaded: loaded (/etc/systemd/system/stunnel.service; enabled;
vendor preset: enabled)
Active: inactive (dead) since Sun 2023-04-23 08:52:52 PDT; 7min ago
Docs: man:stunnel(8)
Process: 572 ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
foreground=yes (code=exited, status=0/SUCCESS)
Main PID: 572 (code=exited, status=0/SUCCESS)
CPU: 13ms
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: Threading:PTHREAD
Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: Reading configuration
from file /etc/stunnel/stunnel.conf
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: UTF-8 byte order mark not
detected
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: FIPS mode disabledApr 23
08:52:52 imager stunnel[572]: LOG4[ui]: Service [pop3] needs
authenticati
on to prevent MITM attacks
Apr 23 08:52:52 imager stunnel[572]: LOG5[ui]: Configuration successful
Apr 23 08:52:52 imager stunnel[584]: LOG5[main]: Terminated
Apr 23 08:52:52 imager stunnel[584]: LOG5[main]: Terminating 1 service
thread(s)
Apr 23 08:52:52 imager stunnel[584]: LOG5[main]: Service threads
terminated
Apr 23 08:52:52 imager systemd[1]: stunnel.service: Succeeded.
Terminated. Why?
Thanks, ... P.
Darac Marjal
Apr 23, 2023, 2:30:07 PM4/23/23
to
1. stunnel hasn't been in Debian since etch (Debian 4.0).
2. stunnel4 comes with a service file template
(https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
which is likely to have been tested to work.
3. Could the warning about protecting your POP3 connection be the cause?
2. stunnel4 comes with a service file template
(https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
which is likely to have been tested to work.
3. Could the warning about protecting your POP3 connection be the cause?
Jeffrey Walton
Apr 23, 2023, 10:10:05 PM4/23/23
to
On Sun, Apr 23, 2023 at 12:57 PM <pe...@easthope.ca> wrote:
>
> After starting interactively, stunnel works.
>
> To automate, this service file was created.
>
> $ cat /etc/systemd/system/stunnel.service
> [Unit]
> Description=StunnelStarter
> Documentation=man:stunnel(8)
> After=network.target auditd.service
>
> [Service]
> ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf foreground=yes
> Restart=no
> Type=simple
>
> [Install]
> WantedBy=multi-user.target
> Alias=stunnel.service
>
> After booting, no stunnel.
Two items come to mind. First, how quickly did you restart the
>
> After starting interactively, stunnel works.
>
> To automate, this service file was created.
>
> $ cat /etc/systemd/system/stunnel.service
> [Unit]
> Description=StunnelStarter
> Documentation=man:stunnel(8)
> After=network.target auditd.service
>
> [Service]
> ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf foreground=yes
> Restart=no
> Type=simple
>
> [Install]
> WantedBy=multi-user.target
> Alias=stunnel.service
>
> After booting, no stunnel.
service? Is the the socket in use because it is lingering?
Second, what does the stunnel.conf look like?
The man page says REUSEADDR=no is the default
(https://manpages.ubuntu.com/manpages/trusty/man8/stunnel4.8.html):
socket = a:SO_REUSEADDR=no (enabled by default)
Jeff
john doe
Apr 24, 2023, 3:10:07 AM4/24/23
to
On 4/23/23 18:41, pe...@easthope.ca wrote:
> Hi,
>
> After starting interactively, stunnel works.
>
> To automate, this service file was created.
>
> $ cat /etc/systemd/system/stunnel.service
> [Unit]
> Description=StunnelStarter
> Documentation=man:stunnel(8)
> After=network.target auditd.service
>
> [Service]
> ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf foreground=yes
I'm not sure about the forground option if you want a daemon in the
> Hi,
>
> After starting interactively, stunnel works.
>
> To automate, this service file was created.
>
> $ cat /etc/systemd/system/stunnel.service
> [Unit]
> Description=StunnelStarter
> Documentation=man:stunnel(8)
> After=network.target auditd.service
>
> [Service]
> ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf foreground=yes
background! :)
--
John Doe
to...@tuxteam.de
Apr 24, 2023, 3:50:06 AM4/24/23
to
(No, seriously: AFAIU that's how it's supposed to be done with
systemd, because that's how it does its process monitoring and
log munging. Do take this with some fists of salt, as my systemd
knowledge is purely theoretical. Ask an expert)
Cheers
--
t
Greg Wooledge
Apr 24, 2023, 7:50:06 AM4/24/23
to
foreground process which is your service. If you can do that, then
you have a "simple" service type. If you cannot, then you probably have
a "forking" service type, and systemd has to track a whole bunch of
processes instead of just one.
pe...@easthope.ca
Apr 24, 2023, 10:50:06 AM4/24/23
to
In-reply-to: <0a2de6ba-15a9-0b01...@darac.org.uk>
References: <897c4593eca5f214...@easthope.ca>
<0a2de6ba-15a9-0b01...@darac.org.uk>
From: Darac Marjal <maili...@darac.org.uk>
Date: Sun, 23 Apr 2023 19:09:16 +0100
> 1. stunnel hasn't been in Debian since etch (Debian 4.0).
Thanks for catching that.
> 2. stunnel4 comes with a service file template
> (https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
> which is likely to have been tested to work.
Thanks. Adjusted /etc/systemd/system/stunnel.service accordingly.
For anyone else interested, PrivateTmp is described in the
systemd.exec(5) manual.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
The template might work exactly when no authentication is involved.
> 3. Could the warning about protecting your POP3 connection be the
> cause?
Appears likely. My intention is that stunnel provides a tunnel in
which POP3 can operate securely. When stunnel is started
interactively, no problem is evident and the MUA authenticates in POP3
inside the tunnel.
The systemd.exec manual cited above has a Credentials section.
Intrigued to study more when I have time. =8~)
Thx, ... P.
References: <897c4593eca5f214...@easthope.ca>
<0a2de6ba-15a9-0b01...@darac.org.uk>
From: Darac Marjal <maili...@darac.org.uk>
Date: Sun, 23 Apr 2023 19:09:16 +0100
> 1. stunnel hasn't been in Debian since etch (Debian 4.0).
> 2. stunnel4 comes with a service file template
> (https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
> which is likely to have been tested to work.
For anyone else interested, PrivateTmp is described in the
systemd.exec(5) manual.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
The template might work exactly when no authentication is involved.
> 3. Could the warning about protecting your POP3 connection be the
> cause?
which POP3 can operate securely. When stunnel is started
interactively, no problem is evident and the MUA authenticates in POP3
inside the tunnel.
The systemd.exec manual cited above has a Credentials section.
Intrigued to study more when I have time. =8~)
Thx, ... P.
David Wright
Apr 25, 2023, 9:20:06 AM4/25/23
to
On Mon 24 Apr 2023 at 07:26:35 (-0700), pe...@easthope.ca wrote:
> From: Darac Marjal <maili...@darac.org.uk>
> Date: Sun, 23 Apr 2023 19:09:16 +0100
> > 1. stunnel hasn't been in Debian since etch (Debian 4.0).
>
> Thanks for catching that.
>
> > 2. stunnel4 comes with a service file template
> > (https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
> > which is likely to have been tested to work.
>
> Thanks. Adjusted /etc/systemd/system/stunnel.service accordingly.
> For anyone else interested, PrivateTmp is described in the
> systemd.exec(5) manual.
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html
>
> The template might work exactly when no authentication is involved.
>
> > 3. Could the warning about protecting your POP3 connection be the
> > cause?
>
> Appears likely. My intention is that stunnel provides a tunnel in
> which POP3 can operate securely. When stunnel is started
> interactively, no problem is evident and the MUA authenticates in POP3
> inside the tunnel.
>
> The systemd.exec manual cited above has a Credentials section.
> Intrigued to study more when I have time. =8~)
Perhaps it would help for you to explain how you're starting it
> From: Darac Marjal <maili...@darac.org.uk>
> Date: Sun, 23 Apr 2023 19:09:16 +0100
> > 1. stunnel hasn't been in Debian since etch (Debian 4.0).
>
> Thanks for catching that.
>
> > 2. stunnel4 comes with a service file template
> > (https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
> > which is likely to have been tested to work.
>
> Thanks. Adjusted /etc/systemd/system/stunnel.service accordingly.
> For anyone else interested, PrivateTmp is described in the
> systemd.exec(5) manual.
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html
>
> The template might work exactly when no authentication is involved.
>
> > 3. Could the warning about protecting your POP3 connection be the
> > cause?
>
> Appears likely. My intention is that stunnel provides a tunnel in
> which POP3 can operate securely. When stunnel is started
> interactively, no problem is evident and the MUA authenticates in POP3
> inside the tunnel.
>
> The systemd.exec manual cited above has a Credentials section.
> Intrigued to study more when I have time. =8~)
successfully, in order to see whether there's something you do
that doesn't translate to running it automatically.
Cheers,
David.
pe...@easthope.ca
Apr 25, 2023, 10:20:07 AM4/25/23
to
In-reply-to: <ZEfPLo/3HeA...@axis.corp>
References: <6c1ca55212823a1b...@easthope.ca>
<ZEfPLo/3HeA...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Tue, 25 Apr 2023 08:01:34 -0500
> Perhaps it would help for you to explain how you're starting it
> successfully, in order to see whether there's something you do
> that doesn't translate to running it automatically.
For running POP3 through the tunnel both of these are effective.
(1) As root give the command "stunnel".
(2) As root give the command "stunnel /etc/stunnel/stunnel.conf".
Until something better surfaces, this line in /home/root/.profile
yields automatic startup from root login.
stunnel
Thx, ... P.
References: <6c1ca55212823a1b...@easthope.ca>
<ZEfPLo/3HeA...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Tue, 25 Apr 2023 08:01:34 -0500
> Perhaps it would help for you to explain how you're starting it
> successfully, in order to see whether there's something you do
> that doesn't translate to running it automatically.
(1) As root give the command "stunnel".
(2) As root give the command "stunnel /etc/stunnel/stunnel.conf".
Until something better surfaces, this line in /home/root/.profile
yields automatic startup from root login.
stunnel
Thx, ... P.
Virgo Pärna
Apr 27, 2023, 4:20:07 AM4/27/23
to
On Sun, 23 Apr 2023 19:09:16 +0100, Darac Marjal <maili...@darac.org.uk> wrote:
> 1. stunnel hasn't been in Debian since etch (Debian 4.0).
>
> 2. stunnel4 comes with a service file template
> (https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
> which is likely to have been tested to work.
It seems, that at least in in bullseye installed stunnel4 uses
> 1. stunnel hasn't been in Debian since etch (Debian 4.0).
>
> 2. stunnel4 comes with a service file template
> (https://sources.debian.org/src/stunnel4/3%3A5.68-2/debian/stunnel4%40.stunnel.service/),
> which is likely to have been tested to work.
init.d script even with stunnel.
Loaded: loaded (/etc/init.d/stunnel4; generated)
And it works just fine. /etc/default/stunnel4 configures what
configuration files are used (default is /etc/stunnel/*.conf).
So there seems to be no need to create my own custom service,
when using services configured in /et/stunnel/.
--
Virgo Pärna
virgo...@mail.ee
pe...@easthope.ca
Apr 27, 2023, 2:00:07 PM4/27/23
to
In-reply-to:
<CAH8yC8mrE7Dek+X+aLsLyuY0...@mail.gmail.com>
References: <897c4593eca5f214...@easthope.ca>
<CAH8yC8mrE7Dek+X+aLsLyuY0...@mail.gmail.com>
Jeffrey & all,
Thanks for the replies.
From: Jeffrey Walton <nolo...@gmail.com>
Date: Sun, 23 Apr 2023 21:50:50 -0400
> how quickly did you restart the service?
Aiming to have the stunnel tunnel available after cold boot.
Restarting shouldn't be necessary. Correct?
> Is the the socket in use because it is lingering?
From cold boot the socket should be available. If command
stunnel is given interactively the socket is available.
> Second, what does the stunnel.conf look like?
$ cat /etc/stunnel/stunnel.conf
; imager:/etc/stunnel/stunnel.conf
; Example SSL client mode services
[pop3]
client = yes
accept = localhost:110
;connect = hornby.islandhosting.com:995
connect = mail.easthope.ca:995
> The man page says REUSEADDR=no is the default
> (https://manpages.ubuntu.com/manpages/trusty/man8/stunnel4.8.html):
>
> socket = a:SO_REUSEADDR=no (enabled by default)
Not significant with cold boot. Correct?
I appreciate the replies. Currently I start stunnel after root login
with command "stunnel" in ~/.profile. Relying on that until a better
answer surfaces.
Thx, ... P.
<CAH8yC8mrE7Dek+X+aLsLyuY0...@mail.gmail.com>
References: <897c4593eca5f214...@easthope.ca>
<CAH8yC8mrE7Dek+X+aLsLyuY0...@mail.gmail.com>
Jeffrey & all,
Thanks for the replies.
From: Jeffrey Walton <nolo...@gmail.com>
Date: Sun, 23 Apr 2023 21:50:50 -0400
> how quickly did you restart the service?
Restarting shouldn't be necessary. Correct?
> Is the the socket in use because it is lingering?
stunnel is given interactively the socket is available.
> Second, what does the stunnel.conf look like?
; imager:/etc/stunnel/stunnel.conf
; Example SSL client mode services
[pop3]
client = yes
accept = localhost:110
;connect = hornby.islandhosting.com:995
connect = mail.easthope.ca:995
> The man page says REUSEADDR=no is the default
> (https://manpages.ubuntu.com/manpages/trusty/man8/stunnel4.8.html):
>
> socket = a:SO_REUSEADDR=no (enabled by default)
I appreciate the replies. Currently I start stunnel after root login
with command "stunnel" in ~/.profile. Relying on that until a better
answer surfaces.
Thx, ... P.
0 new messages