I get the following error starting stunnel4 service on Ubuntu 15.04:
root@scw-d91ec7:~# service stunnel4 start
Job for stunnel4.service failed. See "systemctl status stunnel4.service" and "journalctl -xe" for details.
root@scw-d91ec7:~# systemctl status stunnel4.service
● stunnel4.service - LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons)
Loaded: loaded (/etc/init.d/stunnel4)
Active: failed (Result: exit-code) since Mon 2015-08-24 17:03:25 UTC; 11s ago
Docs: man:systemd-sysv-generator(8)
Process: 2869 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=1/FAILURE)
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [!] Error binding service [ssh] to 212.43.222.123:443
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [!] bind: Cannot assign requested address (99)
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [ ] Closing service [ssh]
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [ ] Service [ssh] closed
Aug 24 17:03:25 scw-d91ec7 systemd[1]: stunnel4.service: control process exited, code=exited status=1
Aug 24 17:03:25 scw-d91ec7 systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).
Aug 24 17:03:25 scw-d91ec7 systemd[1]: Unit stunnel4.service entered failed state.
Aug 24 17:03:25 scw-d91ec7 systemd[1]: stunnel4.service failed.
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: [Failed: /etc/stunnel/stunnel.conf]
Aug 24 17:03:25 scw-d91ec7 stunnel4[2869]: You should check that you have specified the pid= in you configuration file
/etc/stunnel/stunnel.conf:
root@scw-d91ec7:~# cat /etc/stunnel/stunnel.conf
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
[ssh] accept = 212.43.222.123:443
connect = 127.0.0.1:22
/etc/default/stunnel4:
root@scw-d91ec7:~# cat /etc/default/stunnel4
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances
# For example, to set a large limit on file descriptors (to enable
# more simultaneous client connections), set RLIMITS="-n 4096"
# More than one resource limit may be modified at the same time,
# e.g. RLIMITS="-n 4096 -d unlimited"
RLIMITS=""
Ubuntu release:
root@scw-d91ec7:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 15.04
Release: 15.04
Codename: vivid
stunnel version:
root@scw-d91ec7:~# stunnel -version
stunnel 5.06 on arm-unknown-linux-gnueabihf platform
Compiled/running with OpenSSL 1.0.1f 6 Jan 2014
Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Global options:
debug = daemon.notice
pid = /var/run/stunnel4.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = FIPS (with "fips = yes")
ciphers = HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no")
curve = prime256v1
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
… more details:
root@scw-d91ec7:~# journalctl -xe
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] errno: (*__errno_location ())
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] Reading configuration from file /etc/stunnel/stunnel.conf
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] FIPS mode disabled
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Compression disabled
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Snagged 64 random bytes from /dev/urandom
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] PRNG seeded successfully
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Initializing service [ssh]
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Loading cert from file: /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Loading key from file: /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [:] Insecure file permissions on /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Private key check succeeded
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] DH initialization
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Could not load DH parameters from /etc/stunnel/stunnel.pem
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Using hardcoded DH parameters
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] DH initialized with 2048-bit key
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] ECDH initialization
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] ECDH initialized with curve prime256v1
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] SSL options: 0x03000004 (+0x03000000, -0x00000000)
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [.] Configuration successful
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Listening file descriptor created (FD=7)
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [!] Error binding service [ssh] to 212.43.222.123:443
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [!] bind: Cannot assign requested address (99)
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Closing service [ssh]
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [ ] Service [ssh] closed
Aug 24 17:18:12 scw-d91ec7 systemd[1]: stunnel4.service: control process exited, code=exited status=1
Aug 24 17:18:12 scw-d91ec7 systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).
-- Subject: Unit stunnel4.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit stunnel4.service has failed.
--
-- The result is failed.
Aug 24 17:18:12 scw-d91ec7 systemd[1]: Unit stunnel4.service entered failed state.
Aug 24 17:18:12 scw-d91ec7 systemd[1]: stunnel4.service failed.
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: [Failed: /etc/stunnel/stunnel.conf]
Aug 24 17:18:12 scw-d91ec7 stunnel4[3924]: You should check that you have specified the pid= in you configuration file
Any idea ?
all,
I have a website which can be accessed via HTTP well at port 86. Now it is required to add SSL to secure the connection. This website is served with thttpd web server which, yes, has no SSL support. I searched a lot through google then. Suggestions are adding SSL through Stunnel to thttpd.
UPDATED:
Here is my stunnel.conf:
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
[https]
accept = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
Here is the result I got:
linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)
Here is the port listening information before running /usr/local/bin/stunnel:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
And here is the port listening information after running it:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 23145/stunnel
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
I have no idea now what is going wrong. Any suggestions will be appreciated.
ADDED:
If I close firewall, I can access via https://<my-ip-address> successfully. However, I keep still getting this error message:
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Wondering why…
I followed this guide and I also noticed the problem is discussed here viewtopic.php?t=18801 but there was no solution.
Any ideas where to start?
Edit apparently I’m sort of an idiot. Stunnel wasn’t running. However, stunnel won’t start because it can’t bind to localhost which it says is in use. It doesn’t appear to be in use.
Code: Select all
[!] bind: Address already in use (48)
[!] Error binding service [openvpn-localhost] to 127.0.0.1:3000
[ ] Closing service [openvpn-localhost]
[ ] Service [openvpn-localhost] closed
/usr/local/etc/rc.d/stunnel: WARNING: failed to start stunnelstunnel.conf
Code: Select all
debug = 7
output = /usr/local/etc/stunnel/stunnel.log
# Location of the certificate that we created
cert = /usr/local/etc/stunnel/stunnel.pem
# Name of the connection
[openvpn-localhost]
# The port to listen on
accept = 127.0.0.1:3000
# Connect to the local OpenVPN server
connect = 127.0.0.1:10011Code: Select all
]# sockstat -4 -l
sockstat: struct xtcpcb size mismatch
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 11859 6 udp4 *:10011 *:*
root syslogd 11827 7 udp4 *:514 *:*|
With the lastest update to stunnel 5.44-2.fc27, it appears to be unable to bind to localhost: $ cat stunnel.test debug = 6 syslog = no foreground = yes [test] client = yes protocol = smtp accept = localhost:12345 connect = localhost:2025 $ stunnel stunnel.test [ ] Clients allowed=500 [.] stunnel 5.44 on x86_64-redhat-linux-gnu platform [.] Compiled/running with OpenSSL 1.1.0g-fips 2 Nov 2017 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP [ ] errno: (*__errno_location ()) [.] Reading configuration from file /home/christian/stunnel.test [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] Snagged 64 random bytes from /home/christian/.rnd [ ] Wrote 1024 new random bytes to /home/christian/.rnd [ ] PRNG seeded successfully [ ] Initializing service [test] [ ] Ciphers: PROFILE=SYSTEM [ ] TLS options: 0x02020004 (+0x02000000, -0x00000000) [ ] No certificate or private key specified [:] Service [test] needs authentication to prevent MITM attacks [.] Configuration successful [ ] Binding service [test] [ ] Listening file descriptor created (FD=6) [ ] Option SO_REUSEADDR set on accept socket [ ] Service [test] (FD=6) bound to 127.0.0.1:12345 [ ] Listening file descriptor created (FD=7) [ ] Option SO_REUSEADDR set on accept socket [!] bind: Address already in use (98) [!] Error binding service [test] to 127.0.0.1:12345 [ ] Unbinding service [test] [ ] Service [test] closed (FD=6) [ ] Service [test] closed There's (really) nothing listening on port 12345 here; and there are no SELinux warnings either. How reproducible: always Steps to Reproduce: 1. Update to stunnel 5.44-2.fc27 2. Start stunnel to bind to an unused port on localhost 3. bind: Address already in use (98) Actual results: [!] bind: Address already in use (98) [!] Error binding service [test] to 127.0.0.1:12345 Expected results: stunnel should bind to the port. Additional info: Downgrading to stunnel 5.42-1.fc27 helps (thanks for "dnf downgrade"!): $ sudo dnf downgrade stunnel $ stunnel stunnel.test 2018.02.05 23:42:26 LOG5[ui]: stunnel 5.42 on x86_64-redhat-linux-gnu platform 2018.02.05 23:42:26 LOG5[ui]: Compiled with OpenSSL 1.1.0f-fips 25 May 2017 2018.02.05 23:42:26 LOG5[ui]: Running with OpenSSL 1.1.0g-fips 2 Nov 2017 2018.02.05 23:42:26 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel 2018.02.05 23:42:26 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2018.02.05 23:42:26 LOG5[ui]: Reading configuration from file /home/christian/stunnel.test 2018.02.05 23:42:26 LOG5[ui]: UTF-8 byte order mark not detected 2018.02.05 23:42:26 LOG5[ui]: FIPS mode disabled 2018.02.05 23:42:26 LOG6[ui]: Initializing service [test] 2018.02.05 23:42:26 LOG4[ui]: Service [test] needs authentication to prevent MITM attacks 2018.02.05 23:42:26 LOG5[ui]: Configuration successful
Should have done this before reporting here:
The same happens for the upstream version 5.44 (but not for 5.43!), so it's not Fedora specific. The changelog tipped me off:
> https://www.stunnel.org/sdf_ChangeLog.html
> Bugfixes
> Default accept address restored to INADDR_ANY.
The diff between these two version was small enough and after a bit of searching....with the following fix applied to 5.44, stunnel is able to bind to localhost again:
--- src/options.c.orig 2017-11-14 23:06:12.000000000 -0800
+++ src/options.c 2018-02-06 00:01:58.892498016 -0800
@@ -1151,7 +1151,7 @@ NOEXPORT char *parse_service_option(CMD
/* accept */
switch(cmd) {
case CMD_BEGIN:
- addrlist_clear(§ion->local_addr, 1);
+ addrlist_clear(§ion->local_addr, 0);
break;
case CMD_EXEC:
if(strcasecmp(opt, "accept"))
== Workaround: use a numeric address for localhost ("127.0.0.1" or "::1" will do) in the
configuration file to have stunnel-5.44 bind to localhost:
$ grep ^accept stunnel.test
accept = ::1:12345
$ /usr/bin/stunnel stunnel.test
2018.02.06 00:13:20 LOG5[ui]: stunnel 5.44 on x86_64-redhat-linux-gnu platform
2018.02.06 00:13:20 LOG5[ui]: Compiled/running with OpenSSL 1.1.0g-fips 2 Nov 2017
2018.02.06 00:13:20 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2018.02.06 00:13:20 LOG5[ui]: Reading configuration from file /home/christian/stunnel.test
2018.02.06 00:13:20 LOG5[ui]: UTF-8 byte order mark not detected
2018.02.06 00:13:20 LOG5[ui]: FIPS mode disabled
2018.02.06 00:13:20 LOG6[ui]: Initializing service [test]
2018.02.06 00:13:20 LOG4[ui]: Service [test] needs authentication to prevent MITM attacks
2018.02.06 00:13:20 LOG5[ui]: Configuration successful
The downside with this workaround is, that the client port (:12345) can now only be reached with either the configured IPv4 or IPv6 localhost address, but not both. With stunnel-5.43 and "accept=localhost:12345", it would serve both 127.0.0.1 and ::1.
The issue has been fixed with stunnel-5.45b2, which is available from the stunnel website. I tried to "cherry-pick" the relevant changes and attached it to this bug, or one could wait until 5.45 is released, or just use the beta version :-)
Yes, this fixes this bug - thanks! (Also: is it preferred for the reporter to state this in this bug report or is it sufficient/preferred to do so on Bodhi? The latter may produce less emails to the subscribers to this bug, I guess)
Bodhi should be sufficient.
stunnel-5.44-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
stunnel-5.44-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Upstream recently released version 5.45 which includes this fix. But then shortly after that they released version 5.46 which contains this in the changelog: "Default accept address restored to INADDR_ANY". Christian, could you please verify that the version 5.46 does not break this again? Here is a scratch build to test: https://koji.fedoraproject.org/koji/taskinfo?taskID=27274049
My testing with the configuration from the bug description works fine, I just want to be sure we do not regress.
I did not have a very exotic stunnel configuration, so I tested the configuration file that I was initially using, basically the stunnel.test in comment 0. * stunnel-5.43 still works with that config. * stunnel-5.44 (unfixed) fails, as reported. * stunnel-5.44-5.fc28.x86_64 works. * stunnel 5.46 (vanilla) works. * stunnel-5.46-1.fc27 works too: $ wget https://kojipkgs.fedoraproject.org//work/tasks/4052/27274052/stunnel-5.46-1.fc27.x86_64.rpm $ rpm2cpio stunnel-5.46-1.fc27.x86_64.rpm | cpio -idv $ LD_LIBRARY_PATH=./usr/lib64/stunnel ./usr/bin/stunnel stunnel.test 2018.05.29 21:15:27 LOG5[ui]: stunnel 5.46 on x86_64-redhat-linux-gnu platform 2018.05.29 21:15:27 LOG5[ui]: Compiled/running with OpenSSL 1.1.0h-fips 27 Mar 2018 2018.05.29 21:15:27 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2018.05.29 21:15:27 LOG5[ui]: Reading configuration from file /home/christian/s/stunnel.test 2018.05.29 21:15:27 LOG5[ui]: UTF-8 byte order mark not detected 2018.05.29 21:15:27 LOG5[ui]: FIPS mode disabled 2018.05.29 21:15:27 LOG6[ui]: Initializing service [test] 2018.05.29 21:15:27 LOG4[ui]: Service [test] needs authentication to prevent MITM attacks 2018.05.29 21:15:27 LOG5[ui]: Configuration successful 2018.05.29 21:15:27 LOG6[ui]: Service [test] (FD=6) bound to ::1:12345 2018.05.29 21:15:27 LOG6[ui]: Service [test] (FD=7) bound to 127.0.0.1:12345 $ netstat -an | grep 12345 tcp 0 0 127.0.0.1:12345 0.0.0.0:* LISTEN tcp6 0 0 ::1:12345 :::* LISTEN Specifying numeric IPv4 or IPv6 addresses in the configuration file works too and stunnel will then only listen on the configured address, as configured. So, I think your release is good to go :-) Thanks for checking! |
- Remove From My Forums
-
Question
-
Exchange 2013
Verizon.net (FIOS) has changed their smtp relay from outgoing.verizon.net port 25 to smtp.verizon.net port 465 (SSL Enabled)
With username and password
I have changed my Send Connector smart host from outgoing.verizon.net to smtp.verizon.net
I have changed the port on the Send connector from 25 to 465
Send Connector Name is test
Protocol Logging shows:
2013-09-07T18:47:36.715Z,test,08D07A0FC992DBC0,0,,206.46.232.100:465,*,,attempting to connect
2013-09-07T18:47:36.777Z,test,08D07A0FC992DBC0,1,192.168.1.218:53297,206.46.232.100:465,+,,I have tried this with IgnoreSTARTTLS true and false
I have tried this with <label for=»ResultPanePlaceHolder_SendConnector_Delivery_contentContainer_chkSmartHostAuthMechanismBasicAuthRequireTLS» id=»ResultPanePlaceHolder_SendConnector_Delivery_contentContainer_chkSmartHostAuthMechanismBasicAuthRequireTLS_label»>Offer
basic authentication only after starting TLS</label> on and offAnything else I can try?
I have verified with openssl that I can connect and authenticate to smtp.verizon.net from the server
-
Edited by
Saturday, September 7, 2013 6:54 PM
-
Edited by
Answers
-
Using port 465 implies the use of SSL, not TLS. It also means that there’s no negotiation — it’s expected that the sender (a client) simply uses SSL all the time. Port 465 never was an accepted standard, especially for servers.
Have you tried using port 587 instead?
— Rich Matheisen MCSE&I, Exchange MVP
-
Edited by
Rich Matheisen [Ex-MVP (retired)]
Sunday, September 8, 2013 1:04 AM -
Marked as answer by
Simon_WuMicrosoft contingent staff
Friday, September 27, 2013 3:51 AM
-
Edited by
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
| [!] Server is down | |
| [ ] Executing cron jobs | |
| [ ] Cron jobs completed in 0 seconds | |
| [ ] Waiting 86400 seconds | |
| [ ] Running on Windows 6.2 | |
| [.] Reading configuration from file stunnel.conf | |
| [.] UTF-8 byte order mark detected | |
| [.] FIPS mode disabled | |
| [ ] Compression disabled | |
| [ ] Snagged 64 random bytes from C:/.rnd | |
| [ ] Wrote 0 new random bytes to C:/.rnd | |
| [ ] PRNG seeded successfully | |
| [ ] Initializing service [openvpn] | |
| [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 | |
| [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) | |
| [ ] No certificate or private key specified | |
| [:] Service [openvpn] needs authentication to prevent MITM attacks | |
| [ ] Initializing service [gmail-pop3] | |
| [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 | |
| [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) | |
| [ ] No certificate or private key specified | |
| [ ] Initializing service [gmail-imap] | |
| [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 | |
| [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) | |
| [ ] No certificate or private key specified | |
| [ ] Initializing service [gmail-smtp] | |
| [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 | |
| [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) | |
| [ ] No certificate or private key specified | |
| [.] Configuration successful | |
| [ ] Listening file descriptor created (FD=792) | |
| [ ] Option SO_EXCLUSIVEADDRUSE set on accept socket | |
| [!] bind: Address already in use (WSAEADDRINUSE) (10048) | |
| [!] Error binding service [openvpn] to 127.0.0.1:31337 | |
| [ ] Closing service [openvpn] | |
| [ ] Service [openvpn] closed | |
| [ ] Closing service [gmail-pop3] | |
| [ ] Service [gmail-pop3] closed | |
| [ ] Closing service [gmail-imap] | |
| [ ] Service [gmail-imap] closed | |
| [ ] Closing service [gmail-smtp] | |
| [ ] Service [gmail-smtp] closed |