stunnel

3 views
Skip to first unread message

Tekkie©

unread,
Nov 17, 2020, 5:16:31 PM11/17/20
to


I use Microplanet Gravity and it posts to groups fine. But emailing is a
problem. Pouring over the docs it seems that I need to run stunnel or OpenSSL
for it to connect through to the mail server. Can anyone guide me through this?


--
Tekkie

VanguardLH

unread,
Nov 17, 2020, 6:21:27 PM11/17/20
to
MP Gravity supports e-mail protocols? I didn't see e-mail mentioned at
its Sourceforge project site (sourceforge.net/projects/mpgravity).
Assuming it does ...

You sure you want to combine your e-mail and newsreader clients into one
program? Such users have accidentally submitted their e-mails,
sometimes containing personal or embarrassing content, into newsgroups
where it remains forever for all to see. Cancels are honored at so few
NNTP servers that I've never encountered one that supported cancels.
Those that claim they honor cancels may fail. I cannot tell if
EasyNews, your Usenet provider, supports cancels. When I searched on
"cancel" on their help site, all I got were articles about cancelling
your account with them.

Microplanet Gravity runs on Windows platforms (XP, Vista, and 7, and
perhaps later). By adding another link in the chain (e-mail client ->
sTunnel -> AV proxy -> mail server), you make it more difficult to
isolate which component is causing a problem when you can no longer send
or receive e-mails. Since your current choice of e-mail client doesn't
support TLS which your current choice of e-mail provider now requires,
you cannot remove sTunnel to see if it causes problems with e-mail,
because removing sTunnel means it also incapacitates your e-mail client.
There are several good choices for e-mail clients on Windows, like
Thunderbird, eM Client (free with max of 2 accounts), plus most (not
all) versions of Windows come with a bundled e-mail client. Another
freebie is Claws Mail, but get ready to see something reminiscent of
GUIs dating back to Windows 3.x; however, not all plug-ins have yet to
get ported to Windows (https://www.claws-mail.org/win32/). The Bat! is
free, but be careful with this choice since it is heavily [ab]used by
spammers, so it can run afoul of anti-spam filtering at the server. Be
careful with some "free" e-mail clients that are really just trialware
or [highly] crippleware; i.e., they're lureware.

If you are intent on using sTunnel with any e-mail client, the overview
is you configure your e-mail client to send or listen on ports for
sTunnel, not for ports on your e-mail provider's servers. Typically
sTunnel runs as localhost, so that's the server you specify in your
e-mail client. That has your e-mail client connect to sTunnel. You
configure sTunnel to use ports for sending and receiving from your
e-mail client. Typically you use the standard ports for POP, IMAP, and
SMTP for sTunnel to listen to for connects from your e-mail client.
Then you configure sTunnel to connect to the ports and host for your
e-mail provider.

e-mail client --> SMTP --> sTunnel --> AV --> provider's SMTP server
<-- POP <-- sTunnel <-- AV <-- provider's POP server
<-- IMAP <-- sTunnel <-- AV <-- provider's IMAP server

Whether your AV (antivirus) is interrogating your e-mail traffic depends
on if you configure it to do so. It is superfluous, but it adds bloat
to the AV's feature set for marketing purposes, and some users want the
warm comfy feeling that there is somehow more protection by having their
e-mails scanned (but that's false since the same on-access scanner is
used for the AV's real-time detection as used for their e-mail scanner).
If you use non-standard ports on sTunnel's output side (from it to the
e-mail servers), an AV could interfere by blocking that traffic, or not
scan it at all (which is also another reason it is superfluous). Most
AVs run as a transparent proxy, but they still default to monitoring
just the standard e-mail ports. If you don't have your AV do its
superfluous monitoring of e-mail traffic, that eliminate a link in the
e-mail chain. Using an e-mail client that supports TLS eliminates
another link in the e-mail chain. The longer the chain, the more
fragile it becomes, and the harder to troubleshoot.

In sTunnel's configuration, you use a different listening port (from the
e-mail client) to identify to which server that sTunnel will connect.
You define mapping from an input port on sTunnel to an output port on
sTunnel. For multiple accounts, you configure your e-mail client to use
a different port to sTunnel where each port is associated with a
different e-mail service. So, you end up defining listening ports in
sTunnel for each type of service at an e-mail provider, like having one
port listen for SMTP connect from your e-mail client to connect to
provider #1's SMTP server, another port at sTunnel listening to IMAP
connects from your e-mail client to connect to your provider #1's IMAP
server, and a 3rd port at sTunnel listening to connects from your e-mail
provider to go to your provider #1's POP server. Usually you only use
POP or IMAP at an e-mail provider, not both. So, for N e-mail services,
you'll end up defining N*2 ports at sTunnel to listen for connects from
your e-mail client. Mapping is defined by you editing a text config
file for sTunnel. There is no GUI for defining the mapping, especially
since that would make more difficult the cross-platform capability by
requiring different graphical code for each platform. You might want to
draw out the mapping from your e-mail client to sTunnel, from sTunnel to
the e-mail servers, and the internal mapping inside sTunnel to know
which input port goes to which output port. For sTunnel, editing its
text config file will look something like their example at:

https://www.stunnel.org/config_windows.html

You'll need to know which ports your e-mail provider uses for SMTP,
IMAP, and POP to know how to configure sTunnel's outward ports. Last I
tried sTunnel, it has no database of e-mail providers for it to
automatically configure its in/out port assignments. It's all up to
know to find out that information. I've not heard that sTunnel will
support Exchange or Gmail API for access to those type of mail servers.

sTunnel runs as a local proxy which performs a MITM (Man-In-The-Middle)
interception of your e-mail traffic. You might get lucky when first
setting up and configuring sTunnel, along with redefining your e-mail
accounts in your local e-mail client, to get it all working on the first
try. Else, you'll have to spend some time troubleshooting your setup to
see if the config in your e-mail client (that now has to point at
sTunnel) or sTunnel (which needs port assignments on its input side from
your client and port assignments on its output side to the e-mail
servers) that is causing the problem. Much easier to move to a local
e-mail client that already supports TLS for secure connects to whomever
are your e-mail providers, some of which afford automatic configuration
just by entering your e-mail address at each e-mail provider.

Ralph Fox

unread,
Nov 19, 2020, 4:28:14 AM11/19/20
to
1. The general idea is that
1.1 You install STunnel;
1.1 You configure your email client to connect to STunnel,
instead of to your mail server;
1.2 You configure STunnel to accept the connection from your
email client and to forward the connection to your mail
server.

[Diagram best viewed in a fixed-pitch font]

   |===================== YOUR COMPUTER =====================|        |============ THE INTERNET ============|

    +---------+  OUTBOUND MAIL SERVER         +---------+  FORWARD TO                  +--------------------+
    ¦         ¦------------------------------>¦         ¦----------------------------->¦  SMTP mail server  ¦
    ¦  Email  ¦  localhost port 8025, no SSL  ¦         ¦  smtp.xyz.com port 465, SSL  +--------------------+
    ¦  client ¦                               ¦ STunnel ¦
    ¦         ¦  INBOUND MAIL SERVER          ¦         ¦  FORWARD TO                  +--------------------+
    ¦         ¦------------------------------>¦         ¦----------------------------->¦  POP3 mail server  ¦
    +---------+  localhost port 8110, no SSL  +---------+  pop3.xyz.com port 995, SSL  +--------------------+


2. Download the STunnel installer for your operating
system from <https://www.stunnel.org/downloads.html>
and install it.

Do not start STunnel yet - you first need to create an
stunnel.conf configuration file.


3. To configure your email client, see its documentation.

In the diagram above
* Configure the server settings for sending and receiving email
to be your local computer (server name localhost or 127.0.0.1).
* Configure the port number for sending email to be 8025
* Configure the port number for receiving email to be 8110


4. To configure stunnel, first create a text file named "stunnel.conf"
with contents like below.
The "client = yes" is very important.
In the "accept =" lines, the port numbers 8025 and 8110 must match
the port numbers which you have configured your email client to use.
On Linux, these port numbers must also be greater than 1023.
Replace "smtp.xyz.com" and "pop3.xyz.com" with the actual
names for your sending and receiving mail servers.

~~~~~~~~~~~~~~~ stunnel.conf ~~~~~~~~~~~~~~~

foreground = no

[OUTBOUND-MAIL]
client = yes
delay = yes
accept = 127.0.0.1:8025
connect = smtp.xyz.com:465

[INBOUND-MAIL]
client = yes
delay = yes
accept = 127.0.0.1:8110
connect = pop3.xyz.com:995

~~~~~~~~~~~~~~~ stunnel.conf ~~~~~~~~~~~~~~~


5. When you run STunnel, you must include the file stunnel.conf as a
command-line parameter. For example

"C:\Program Files\STunnel\stunnel.exe" "C:\Program Files\STunnel\stunnel.conf"

The easiest way is to create a shortcut for running STunnel, and
set the shortcut's 'Target' field to the command line with the
parameter.


--
Kind regards
Ralph
🦊

𝖀𝖓𝖎𝖈𝖔𝖉𝖊 𝕌𝕋𝔽-𝟠 𝙩𝙚𝙨𝙩.

Tekkie©

unread,
Nov 25, 2020, 4:35:39 PM11/25/20
to

On Tue, 17 Nov 2020 17:21:24 -0600, VanguardLH posted for all of us to
digest...
I want to use to forward articles via email to me. I don't want to use it as my
email client.

--
Tekkie

Tekkie©

unread,
Nov 25, 2020, 4:46:00 PM11/25/20
to

On Thu, 19 Nov 2020 22:28:07 +1300, Ralph Fox posted for all of us to digest...

>
> On Tue, 17 Nov 2020 17:16:29 -0500, Tekkie© wrote:
>
> > I use Microplanet Gravity and it posts to groups fine. But emailing is a
> > problem. Pouring over the docs it seems that I need to run stunnel or OpenSSL
> > for it to connect through to the mail server. Can anyone guide me through this?
>
>
> 1. The general idea is that
> 1.1 You install STunnel;
> 1.1 You configure your email client to connect to STunnel,
> instead of to your mail server;
> 1.2 You configure STunnel to accept the connection from your
> email client and to forward the connection to your mail
> server.
>
> [Diagram best viewed in a fixed-pitch font]
>
>    |===================== YOUR COMPUTER =====================|        |============ THE INTERNET ============|
>
>     +---------+  OUTBOUND MAIL SERVER         +---------+  FORWARD TO                  +--------------------+
>     ?         ?------------------------------>?         ?----------------------------->?  SMTP mail server  ?
>     ?  Email  ?  localhost port 8025, no SSL  ?         ?  smtp.xyz.com port 465, SSL  +--------------------+
>     ?  client ?                               ? STunnel ?
>     ?         ?  INBOUND MAIL SERVER          ?         ?  FORWARD TO                  +--------------------+
>     ?         ?------------------------------>?         ?----------------------------->?  POP3 mail server  ?
Thanks Ralph, I only want to use Gravity to forward articles via email. I use
Tbird for actual email. I beleive gravity used the old port 25 for email.
Comcast uses 587 for outgoing so I submit this for your critque.

Thanks for your help. It makes my brain hurt...

client = yes
delay = yes
accept = 127.0.0.1:25
connect = smtp.xyz.com:587

--
Tekkie

Grant Taylor

unread,
Nov 25, 2020, 6:38:43 PM11/25/20
to
On 11/25/20 2:45 PM, Tekkie� wrote:
> Thanks Ralph, I only want to use Gravity to forward articles via
> email.

Are you using Gravity for more than this? Are you actually using it to
read news? Or is it only for forwarding?

> I use Tbird for actual email.

Is there a reason that you /don't/ use Thunderbird for news too?

> I beleive gravity used the old port 25 for email. Comcast uses 587
> for outgoing so I submit this for your critque.

> connect = smtp.xyz.com:587

TCP port 587 is a cleartext SMTP port that can transition to encryption
via the STARTTLS command. I suspect that's imcompatibel with stunnel.

Does Comcast support port 465? That's implicit TLS and should be more
compatible with stunnel.

Aside: If all you're using Gravity for is to forward articles, have you
considered a different news-to-email option?



--
Grant. . . .
unix || die

Ralph Fox

unread,
Nov 26, 2020, 2:05:48 AM11/26/20
to
On Wed, 25 Nov 2020 16:45:58 -0500, Tekkie© wrote:

> Thanks Ralph, I only want to use Gravity to forward articles via email. I use
> Tbird for actual email. I beleive gravity used the old port 25 for email.
> Comcast uses 587 for outgoing so I submit this for your critque.
>
> Thanks for your help. It makes my brain hurt...
>
> client = yes
> delay = yes
> accept = 127.0.0.1:25
> connect = smtp.xyz.com:587


1. I read that you can configure the email port number in
Microplanet Gravity to be whatever you need.
See the "SMTP" port shown on this web page:
<http://underpop.online.fr/m/microplanet-gravity/help/servers-servers-tab.html>


2. Port 587 is for connecting without an SSL encrypted connection
(as Grant Taylor has already replied).
If you just need to send mail using port 587 and nothing else, then
forget about STunnel and just change the "SMTP" port in Gravity to 587.
<http://underpop.online.fr/m/microplanet-gravity/help/servers-servers-tab.html>


3. STunnel is for when you need to connect using an SSL-encrypted
connection.

If you need to connect using an SSL-encrypted connection to send email,
then Comcast _does_ use port 465 for SSL-encrypted connections (and
only for SSL-encrypted connections).


4. Regarding port 25 in the stunnel.conf accept line

There is a risk that another program on your computer could
be accepting connections on port 25. For example, some AV/firewall
programs may do this.

4.1 If it so happens that there is another program, STunnel
will not be able to work with port 25 in the accept setting.
4.2 If there is not, you should be OK on Windows.
4.3 On Linux, the port in the accept line has to be over 1024.

If you are only sending email, and if port 25 is OK for you to use
in the accept setting (which you need to test), then your stunnel.conf
would look like this.


~~~~~~~~~~~~~~~ stunnel.conf ~~~~~~~~~~~~~~~

foreground = no

[OUTBOUND-MAIL]
client = yes
delay = yes
accept = 127.0.0.1:25
connect = smtp.xyz.com:465

~~~~~~~~~~~~~~~ stunnel.conf ~~~~~~~~~~~~~~~


--
Kind regards
Ralph

VanguardLH

unread,
Nov 26, 2020, 3:52:14 PM11/26/20
to
sTunnel is just a local proxy. It doesn't do e-mail. It doesn't do
FTP. It doesn't do any of that. It just intercepts traffic on one
port, encrypts it, and connects its own port to whatever other host you
specify (that would obviously need a listening process).

Because MPGravity doesn't do TLS, but you want it to send e-mails, you
have MPGravity connect to sTunnel, and have sTunnel connect to whatever
e-mail server to where you want to send e-mails from MPGravity.

Tekkie©

unread,
Dec 1, 2020, 3:47:55 PM12/1/20
to

On Wed, 25 Nov 2020 16:38:45 -0700, Grant Taylor posted for all of us to
digest...

>
> On 11/25/20 2:45 PM, Tekkie? wrote:
> > Thanks Ralph, I only want to use Gravity to forward articles via
> > email.
>
> Are you using Gravity for more than this? Are you actually using it to
> read news? Or is it only for forwarding?

To read the news. I like to forward some posts I find of value to my email.
>
> > I use Tbird for actual email.
>
> Is there a reason that you /don't/ use Thunderbird for news too?

I just like Gravity better.
>
> > I beleive gravity used the old port 25 for email. Comcast uses 587
> > for outgoing so I submit this for your critque.
>
> > connect = smtp.xyz.com:587
>
> TCP port 587 is a cleartext SMTP port that can transition to encryption
> via the STARTTLS command. I suspect that's imcompatibel with stunnel.
>
> Does Comcast support port 465? That's implicit TLS and should be more
> compatible with stunnel.
>
> Aside: If all you're using Gravity for is to forward articles, have you
> considered a different news-to-email option?

No, what are you thinking, Tbird news?

--
Tekkie

Tekkie©

unread,
Dec 1, 2020, 3:52:06 PM12/1/20
to

On Thu, 26 Nov 2020 20:05:42 +1300, Ralph Fox posted for all of us to digest...

>
> On Wed, 25 Nov 2020 16:45:58 -0500, Tekkie© wrote:
>
> > Thanks Ralph, I only want to use Gravity to forward articles via email. I use
> > Tbird for actual email. I beleive gravity used the old port 25 for email.
> > Comcast uses 587 for outgoing so I submit this for your critque.
> >
> > Thanks for your help. It makes my brain hurt...
> >
> > client = yes
> > delay = yes
> > accept = 127.0.0.1:25
> > connect = smtp.xyz.com:587
>
>
> 1. I read that you can configure the email port number in
> Microplanet Gravity to be whatever you need.
> See the "SMTP" port shown on this web page:
> <http://underpop.online.fr/m/microplanet-gravity/help/servers-servers-tab.html>
>
>
> 2. Port 587 is for connecting without an SSL encrypted connection
> (as Grant Taylor has already replied).
> If you just need to send mail using port 587 and nothing else, then
> forget about STunnel and just change the "SMTP" port in Gravity to 587.
> <http://underpop.online.fr/m/microplanet-gravity/help/servers-servers-tab.html>
>
>
> 3. STunnel is for when you need to connect using an SSL-encrypted
> connection.
>
> If you need to connect using an SSL-encrypted connection to send email,
> then Comcast _does_ use port 465 for SSL-encrypted connections (and
> only for SSL-encrypted connections).

That is what I understand.
>
>
> 4. Regarding port 25 in the stunnel.conf accept line
>
> There is a risk that another program on your computer could
> be accepting connections on port 25. For example, some AV/firewall
> programs may do this.
>
> 4.1 If it so happens that there is another program, STunnel
> will not be able to work with port 25 in the accept setting.
> 4.2 If there is not, you should be OK on Windows.
> 4.3 On Linux, the port in the accept line has to be over 1024.
>
> If you are only sending email, and if port 25 is OK for you to use
> in the accept setting (which you need to test), then your stunnel.conf
> would look like this.
>
>
> ~~~~~~~~~~~~~~~ stunnel.conf ~~~~~~~~~~~~~~~
>
> foreground = no
>
> [OUTBOUND-MAIL]
> client = yes
> delay = yes
> accept = 127.0.0.1:25
> connect = smtp.xyz.com:465
>
> ~~~~~~~~~~~~~~~ stunnel.conf ~~~~~~~~~~~~~~~

Thank you. I have a few minutes now to fool with this...

--
Tekkie

Tekkie©

unread,
Dec 1, 2020, 4:01:32 PM12/1/20
to

On Thu, 26 Nov 2020 20:05:42 +1300, Ralph Fox posted for all of us to digest...
This is the log for stunnel

2020.12.01 15:55:25 LOG5[main]: Reading configuration from file stunnel.conf
2020.12.01 15:55:25 LOG5[main]: UTF-8 byte order mark detected
2020.12.01 15:55:25 LOG4[main]: Service [smtp] needs authentication to prevent
MITM attacks
2020.12.01 15:55:25 LOG5[main]: Configuration successful

--
Tekkie

Tekkie©

unread,
Dec 1, 2020, 4:27:34 PM12/1/20
to

On Thu, 26 Nov 2020 20:05:42 +1300, Ralph Fox posted for all of us to digest...
Well I have used
Port 8025
Port 25
Port 465
Port 587
Reentered my password

All I get is SMTP connection failure in the event viewer log in Gravity

The log in stunnel is:

2020.12.01 16:13:58 LOG5[main]: Reading configuration from file stunnel.conf
2020.12.01 16:13:58 LOG5[main]: UTF-8 byte order mark detected
2020.12.01 16:13:58 LOG4[main]: Service [smtp] needs authentication to prevent
MITM attacks
2020.12.01 16:13:58 LOG5[main]: Configuration successful

I'm flummoxed it's Win 10. I have tryed it with another older newsreader I have
and it gives the same results.

Thanks again!

--
Tekkie

Grant Taylor

unread,
Dec 1, 2020, 6:52:59 PM12/1/20
to
On 12/1/20 1:47 PM, Tekkie� wrote:
> To read the news. I like to forward some posts I find of value to my email.

ACK

> I just like Gravity better.

Fair enough.

> No, what are you thinking, Tbird news?

Thunderbird news possibly with filters is one option.

INN includes news-to-email gateway.

There are other news-to-email gateways too.

But, if you're only forwarding selective messages, the automatic gateway
probably isn't a good fit.

Grant Taylor

unread,
Dec 1, 2020, 6:57:04 PM12/1/20
to
On 12/1/20 2:27 PM, Tekkie� wrote:
> 2020.12.01 16:13:58 LOG4[main]: Service [smtp] needs authentication
> to prevent MITM attacks
...
> I'm flummoxed it's Win 10. I have tryed it with another older newsreader I have
> and it gives the same results.

Does Gravity support SMTP Authentication? Without that, you probably
won't be able to get by with just stunnel. You will likely need a micro
MTA that can accept messages from Gravity and then pass them off to your
ISP in a way that they find acceptable.

Remember, stunnel is only one piece of the puzzle. In fact, it's sort
of an obtuse piece at that.

Tekkie©

unread,
Dec 2, 2020, 4:39:10 PM12/2/20
to

On Tue, 1 Dec 2020 16:57:09 -0700, Grant Taylor posted for all of us to
digest...
Obtuse is a good word for stunnel. Yes it supports SMTP but does not have SSL
which I was under the impression stunnel did. I am putting this aside for a
couple of days. Too mindbogglingly. Maybe if I read the manual? NAH.

--
Tekkie

Grant Taylor

unread,
Dec 2, 2020, 9:31:20 PM12/2/20
to
On 12/2/20 2:39 PM, Tekkie wrote:
> Obtuse is a good word for stunnel. Yes it supports SMTP but does not
> have SSL which I was under the impression stunnel did. I am putting
> this aside for a couple of days. Too mindbogglingly. Maybe if I read
> the manual? NAH.

Interesting. Thank you for pointing out that stunnel supports SMTP
protocol.

VanguardLH

unread,
Dec 2, 2020, 11:43:47 PM12/2/20
to
Grant Taylor <gta...@tnetconsulting.net> wrote:

> Tekkie wrote:
>
>> Obtuse is a good word for stunnel. Yes it supports SMTP but does not
>> have SSL which I was under the impression stunnel did. I am putting
>> this aside for a couple of days. Too mindbogglingly. Maybe if I read
>> the manual? NAH.
>
> Interesting. Thank you for pointing out that stunnel supports SMTP
> protocol.

sTunnel does not support SMTP, IMAP, POP, Exchange, Gmail API, FTP,
Gopher, NTP, Telnet, DNS, HTTP/S, NNTP, or any other inter-process
communication protocol. sTunnel is only to establish a connection
between endpoints to establish an encrypted session (aka pipe). The
communication protocol goes over that encrypted session, and can be any
protocol. sTunnel is a TLS/SSL *tunneling* service that runs as a proxy
on your host (or a host in your intranet if sharing it). That's it!
Once the endpoints establish an encrypted session, the clients using
that tunneling use whatever protocol (command set) they want.

Likewise, your e-mail client will be sending the same command set to the
server whether the connection is encrypted or not. Whether your e-mail
client establishes a non-encrypted or encrypted session with the server,
the same set of commands get used for whatever protocol you configured
for use by an account defined within that e-mail client. The
communication protocol doesn't change because the session is encrypted.
sTunnel is NOT an e-mail client issuing commands to an e-mail server.
sTunnel is just the pipe for encrypting the traffic between endpoints.
It doesn't support the IMAP, POP, SMTP, Exchange, Gmail API, or other
e-mail protocols. That's not its purpose. You will never see sTunnel
listed as an alternative e-mail client or server.

You define in sTunnel its listening ports (input and output). The
"[smtp]", "[imap]", "[pops]" and so on are just labels. You could call
them "[george]", "[Gmail-poppy]", "[lalaland]", or whatever you want.
The labels have nothing to do with whichever protocols are used through
that proxy across those ports. A self-stick tag stuck to your shirt at
a seminar does not force you to communicate using a specific language.

Grant Taylor

unread,
Dec 3, 2020, 3:58:46 PM12/3/20
to
On 12/2/20 9:43 PM, VanguardLH wrote:
> sTunnel does not support SMTP, IMAP, POP, Exchange, Gmail API, FTP,
> Gopher, NTP, Telnet, DNS, HTTP/S, NNTP, or any other inter-process
> communication protocol. sTunnel is only to establish a connection
> between endpoints to establish an encrypted session (aka pipe).

That's what I originally thought too.

Then persuant to Tekkie's comments, I checked stunnel's manual page and
found that stunnel does support enough of (at least) the following
application layer protocols to be able to establish the TLS tunnel.
E.g. speak enough SMTP to send an EHLO and STARTTLS. To quote the man page:

protocol = PROTO
application protocol to negotiate TLS

This option enables initial, protocol-specific negotiation of TLS
encryption. The protocol option should not be used with TLS encryption
on a separate port.

Currently supported protocols:

- cifs
- connect
- imap
- nntp
- pgsql
- pop3
- proxy
- smtp
- socks

This tells me that stunnel knows how to present an unencrypted SMTP port
to a client and connect it to an SMTP server that requires STARTLS on
port 25 or 587.

> The communication protocol goes over that encrypted session, and can
> be any protocol. sTunnel is a TLS/SSL *tunneling* service that runs
> as a proxy on your host (or a host in your intranet if sharing it).
> That's it!

But, as described above, there is some limited application layer
protocol knowledge and support to be able to establish the tunnel.

E.g. you can't connect to an SMTP server on ports 25 or 587 and
immediately start speaking TLS. You *MUST* speak enough SMTP to be able
to transition from unencrypted to encrypted connection.

> Once the endpoints establish an encrypted session, the clients using
> that tunneling use whatever protocol (command set) they want.

The operative phrase being "Once the endpoints establish an encrypted
session...". The application specific protocol is required on some
ports to be able to do that.

> Likewise, your e-mail client will be sending the same command set to
> the server whether the connection is encrypted or not.

Not quite. It depends if stunnel is in the mix or not. It depends if
your client is trying to negotiate encryption or not. E.g. your client
won't use STARTTLS (for SMTP) if you don't tell it to do encryption or
if stunnel does the encryption for you. Conversely your email client
will use STARTTLS if you tell it to use encryption on ports 25 or 587.

> Whether your e-mail client establishes a non-encrypted or encrypted
> session with the server, the same set of commands get used for whatever
> protocol you configured for use by an account defined within that
> e-mail client.

Nope. Having the client do the encryption (vs stunnel) requires a
superset of commands compared to what is used for unencrypted
connections. Specifically "STARTTLS", which is used by the client to
establish encryption to ports 25 and 587, is decidedly NOT used for
unencrypted communications. Ergo "the same set of commands get used for
whatever protocol you configured" is factually incorrect.

There is also the problem that SMTP, IMAP, and POP3 all use different
commands. So your "the same set of commands get used for whatever
protocol..." statement is tenuous at best or misleading if not wrong.

> The communication protocol doesn't change because the session is
> encrypted.

If something other than stunnel does the encryption, yes it does.

> sTunnel is NOT an e-mail client issuing commands to an e-mail server.

That can't possibly be correct. stunnel does (and will if told to do
so) issue just enough application specific protocol to establish the
secure connections. E.g. "EHLO" & "STARTTLS" for SMTP.

> sTunnel is just the pipe for encrypting the traffic between endpoints.

Yes. But stunnel must use the absolute minimum application protocol to
be able to establish said pipe.

> It doesn't support the IMAP, POP, SMTP, Exchange, Gmail API, or other
> e-mail protocols.

Per the manual page, yes, stunnel does support IMAP, POP3, SMTP.

Aside: Exchange can be it's own proprietary protocol or the
aforementioned IMAP, POP3, and SMTP.

> That's not its purpose. You will never see sTunnel listed as an
> alternative e-mail client or server.

On the contrary, speaking an absolute minimum to establish the encrypted
connection via the application specific protocols to enable encrypted
connections *IS* stunnel's purpose.

I just confirmed with the following (redacted) configuration that /yes/
*stunnel* is speaking SMTP specific commands.

--8<--
foreground = yes

[test]
client = yes
accept = 127.0.0.1:2525
connect = REDACTED:587
protocol = smtp
-->8--

I then:

1) started stunnel in the first window
2) started tcpdump to sniff the traffic to the host and port in the
second window
3) telneted to 127.0.0.1 port 2525 in a third window and spoke smtp

I can confirm that stunnel did in fact issue the following SMTP "EHLO
localhost" and "STARTTLS". /I/ did *NOT* issue these commands.
/stunnel/ *did* issue these commands.

This proves beyond a shadow of a doubt that stunnel does have limited
support for application protocols that require this type of behavior to
establish an encrypted connection.

> You define in sTunnel its listening ports (input and output). The
> "[smtp]", "[imap]", "[pops]" and so on are just labels. You could call
> them "[george]", "[Gmail-poppy]", "[lalaland]", or whatever you want.
> The labels have nothing to do with whichever protocols are used through
> that proxy across those ports. A self-stick tag stuck to your shirt at
> a seminar does not force you to communicate using a specific language.

However the "protocol = smtp" statement (in whatever label you happen to
use) /does/ mean that stunnel will speak the absolute minimum SMTP to
establish the encrypted connection, which is then presented as clear
text to the client connecting to the port from accept parameter.
Reply all
Reply to author
Forward
0 new messages