Re: [stunnel-users] Service [SMTP Outgoing] needs authentication to prevent MITM attacks
Michal Trojnara
Hash: SHA256
On 01.09.2015 06:11, Eric Poythress wrote:
> Both are able to see each other just fine but I have the following
> error in the log:
>
> Service [SMTP Outgoing] needs authentication to prevent MITM
> attacks
It is a warning, and not an error.
See https://www.stunnel.org/auth.html
You probably need something like:
[SMTP Outgoing]
client = yes
accept = 127.0.0.1:<src_port>
connect = <server_host>:<server_port>
verify = 2
CAfile = ca-certs.pem
checkHost = <server_host>
> Any help or suggests would be greatly appreciated.
Send your stunnel.conf, and a larger sample of your logs.
Preferably, read the following HOWTO:
http://catb.org/~esr/faqs/smart-questions.html
It will make your life a lot easier!
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV5WrWAAoJEC78f/DUFuAU+CgP/31pJuvNky6t99qsDwdn5EGo
czTSvPXzn7quwdTZMA9SNQv2G8NvnXv+xxh7xgzEPm4sUq2SehyWKcxxZLHsk5O5
rl3KxE15TMvOw6nqpm3YDwh72788Vu99XKFaFfo0BM6hI++s9WYWjUKfHXn4OEsz
vNf3IqCcCXMeXlgo7xkH4qAmuEyz+Z9UkA6dkaDL5k30oB8m3nhHoGaspBnyBQQ+
ma1fWPwE79JFgE8ecm7wFu0PNu99hCelqL2TARke+VE+qBuzWI41aKcw15rjD+QS
r6xyDi/XFboHiIkWvYDEOCq0C76JnTwrpRigWMvGx8dEQfVO/j9gjyf9seFZe8jv
jHdI7VTQVHMoO4nzCqVpcve3kzrW7I1bQKJLZDPMSUos5BuuHRXKDrlmapO2DDRI
Tp4HzcykchqEfm6Hj4UcnSuQAF/8kQjc1naXFtqENSqfhVTbnkVgjEPyoIh5Nf4c
+NBsnRLYemd+UUXbcC7uBi1qiy1Jbncne4yl5JEjnfkbbl2FhARbGo1sggxvGKQt
ayjLRkyi3luAfWNbmNzKGF3g/u3UPeQAaU9siCVHcyl4n3SNJrMFzlwSxc1iQtry
WUdUBZdNFkmurQlCWBpk81Q+BcBvqYzq/WKdV9FPQqchF57qb0WPfCZDD8PaESbg
TOr07sMmm8kXosdF2KSf
=50AY
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
stunne...@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Eric Poythress
# Stunnel configuration file for Office 365 SMTP
# Eric Poythress
# GLOBAL OPTIONS
client = yes
output = stunnel-log.txt
debug=7
taskbar=yes
# SERVICE-LEVEL OPTIONS
client = yes
accept = 25
connect = smtp.office365.com:587
CAfile = ca-certs.pem
A larger sample of my logs looks like this:
2015.09.01 22:15:15 LOG5[1]: s_connect: connected 132.245.70.98:587
2015.09.01 22:15:15 LOG5[1]: Service [SMTP Outgoing] connected remote server from 192.168.100.41:1565
2015.09.01 22:15:15 LOG7[1]: Remote socket (FD=468) initialized
2015.09.01 22:15:15 LOG7[1]: <- 220 SN1PR15CA0037.outlook.office365.com Microsoft ESMTP MAIL Service ready at Wed, 2 Sep 2015 03:13:50 +0000
2015.09.01 22:15:15 LOG7[1]: -> 220 SN1PR15CA0037.outlook.office365.com Microsoft ESMTP MAIL Service ready at Wed, 2 Sep 2015 03:13:50 +0000
2015.09.01 22:15:15 LOG7[1]: -> EHLO localhost
2015.09.01 22:15:15 LOG7[1]: <- 250-SN1PR15CA0037.outlook.office365.com Hello [70.167.26.246]
2015.09.01 22:15:15 LOG7[1]: <- 250-SIZE 157286400
2015.09.01 22:15:15 LOG7[1]: <- 250-PIPELINING
2015.09.01 22:15:15 LOG7[1]: <- 250-DSN
2015.09.01 22:15:15 LOG7[1]: <- 250-ENHANCEDSTATUSCODES
2015.09.01 22:15:15 LOG7[1]: <- 250-STARTTLS
2015.09.01 22:15:15 LOG7[1]: <- 250-8BITMIME
2015.09.01 22:15:15 LOG7[1]: <- 250-BINARYMIME
2015.09.01 22:15:15 LOG7[1]: <- 250 CHUNKING
2015.09.01 22:15:15 LOG7[1]: -> STARTTLS
2015.09.01 22:15:16 LOG7[1]: <- 220 2.0.0 SMTP server ready
2015.09.01 22:15:16 LOG6[1]: SNI: sending servername: smtp.office365.com
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): before/connect initialization
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client hello A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server hello A
2015.09.01 22:15:16 LOG7[1]: Verification started at depth=2: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification succeeded
2015.09.01 22:15:16 LOG6[1]: Certificate accepted at depth=2: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
2015.09.01 22:15:16 LOG7[1]: Verification started at depth=1: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA1
2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification succeeded
2015.09.01 22:15:16 LOG6[1]: Certificate accepted at depth=1: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA1
2015.09.01 22:15:16 LOG7[1]: Verification started at depth=0: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=outlook.com
2015.09.01 22:15:16 LOG7[1]: CERT: Pre-verification succeeded
2015.09.01 22:15:16 LOG6[1]: CERT: Host name "smtp.office365.com" matched with "*.office365.com"
2015.09.01 22:15:16 LOG5[1]: Certificate accepted at depth=0: C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=outlook.com
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server certificate A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server key exchange A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server certificate request A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read server done A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client certificate A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write client key exchange A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write change cipher spec A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 write finished A
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 flush data
2015.09.01 22:15:16 LOG7[1]: SSL state (connect): SSLv3 read finished A
2015.09.01 22:15:16 LOG7[1]: 2 client connect(s) requested
2015.09.01 22:15:16 LOG7[1]: 2 client connect(s) succeeded
2015.09.01 22:15:16 LOG7[1]: 0 client renegotiation(s) requested
2015.09.01 22:15:16 LOG7[1]: 0 session reuse(s)
2015.09.01 22:15:16 LOG6[1]: SSL connected: new session negotiated
2015.09.01 22:15:16 LOG7[1]: Deallocating application specific data for addr index
2015.09.01 22:15:16 LOG6[1]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-SHA384 (256-bit encryption)
2015.09.01 22:15:16 LOG7[1]: Compression: null, expansion: null
2015.09.01 22:15:21 LOG6[1]: Read socket closed (readsocket)
2015.09.01 22:15:21 LOG7[1]: Sending close_notify alert
2015.09.01 22:15:21 LOG7[1]: SSL alert (write): warning: close notify
2015.09.01 22:15:21 LOG6[1]: SSL_shutdown successfully sent close_notify alert
2015.09.01 22:15:21 LOG6[1]: SSL socket closed (SSL_read)
2015.09.01 22:15:21 LOG7[1]: Sent socket write shutdown
2015.09.01 22:15:21 LOG5[1]: Connection closed: 71 byte(s) sent to SSL, 237 byte(s) sent to socket
2015.09.01 22:15:21 LOG7[1]: Remote socket (FD=468) closed
2015.09.01 22:15:21 LOG7[1]: Local socket (FD=440) closed
2015.09.01 22:15:21 LOG7[1]: Service [SMTP Outgoing] finished (0 left)
-Eric
Michal Trojnara
Hash: SHA256
Hi Eric,
Everything seems to work just fine. smtp.office365.com advertises
IPv6 addresses, but your host does not seem to have IPv6 connectivity.
You may modify the time-out delay with TIMEOUTconnect.
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV5p3xAAoJEC78f/DUFuAUQbgP/0MsjjGe3UMllzwE9YxMMJuq
5yJqG+7oKgfSQXBhqh/es1s6pzePajTThmGGwqzDqwmyQgMt+ogPlr6BGDOZ8Z2e
jKxqxs5qr/CfKTdSM7FYSERIO3YsTDwV5MYszb8aX6ECOQEzBG4vYiTmou86Gi8u
B3u+pn24EfHr3hgT78h6XSgc5O1OYr2yqzl8+79BqmGnzKheSBD8GOBQWrrYAdZt
GRmiuSMtsccqoPHGa2hUWZvXzCILUzL/992Ys4WWHOMSN6GNyhws18CPrIFgCjiX
mPhlUqh2ArinFhz/KaQy19G6g6xzCXMw/ss1iY96bMv/SdzBThfuDuJ/neJtmr4p
7cC4IkrqlOUdp9YZgCSdizK12Y2D4mizZt0dGI9GJA547irLfii+3cFRA1z/TTtX
xj9I5nXHAfdrrPtPlt9vq8y4idmpqU2lxbNSUuo267fSddDuOj7cZDfpF9NIj/Ub
dKn4bXX4HvcHziPE/EYhuKW5FkxjD712uBkQOsoCQKXmUXcGNJ4E1NSHcUgww0i6
JMphsVdAwfa2rd7c+Qz2yKwWp5wq0XZ575lHrqQp3gVqaNDp15vErwR7ja0Oh4yW
JPXjOGsfN3sHmOwML+CWwDyx8JPI/tG5yk996vnZKU7zQbEaiIusYHQ5JYjtP/p4
JVZtkuv62adPKyQIYGp1
=fS1S
-----END PGP SIGNATURE-----