attempting to establish stunnel smtp connection to remote server

Discussion:

Leland T. Snyder

2004-07-27 05:09:57 UTC

I'm am trying to establish a stunnel connection to a remote mail server
(using iPlanet ) , I know my local OpenSSl certs are in order, because I can
establish a connection with a sendmail smtp serve in TLS mode with no
problems. I am using a self signed cert for the client system . . .

Anyway, when I try to establish a connection, I get the following error:
non-RFC 2487 compliant , just means it is a mail server that does not
support full smtp protocol.
guess I need to diagnose this on the server end, maybe an error is being
logged to the application log.

[***@base03 root]# rm -f /tmp/smtplog; stunnel -D info -c -r
mail02.tapnet.net:smtp -n smtp -o /tmp/smtplog ; cat /tmp/smtplog
220 mail02.tapdesign.com -- Server ESMTP (iPlanet Messaging Server 5.2
HotFix 1.21 (built Sep 8 2003))
2004.07.27 00:21:35 LOG5[8737:8192]: Using 'mail02.tapnet.net.smtp' as
tcpwrapper service name
2004.07.27 00:21:35 LOG6[8737:8192]: PRNG seeded successfully
2004.07.27 00:21:35 LOG5[8737:8192]: stunnel 3.22 on i386-redhat-linux-gnu
PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001
2004.07.27 00:21:36 LOG3[8737:8192]: Remote server is not RFC 2487 compliant
2004.07.27 00:21:36 LOG3[8737:8192]: Protocol negotiations failed
[***@base03 root]#

Any help would be greatly appreciated.

-Leland T. Snyder

Jan Meijer

2004-07-27 07:16:03 UTC

Permalink

Post by Leland T. Snyder
non-RFC 2487 compliant , just means it is a mail server that does not
support full smtp protocol.

"SMTP Service Extension for Secure SMTP over TLS" is the title of rfc2487.

Silly question: are you sure the remote mailserver supports smtp over tls?

Jan

--
/~\ The ASCII / Jan Meijer
\ / Ribbon Campaign -- -- SURFnet bv
X Against HTML / http://www.surfnet.nl/organisatie/jm/
/ \ Email http://cert.surfnet.nl/

Brian Hatch

2004-07-27 14:42:58 UTC

Permalink

Post by Leland T. Snyder
non-RFC 2487 compliant , just means it is a mail server that does not
support full smtp protocol.
guess I need to diagnose this on the server end, maybe an error is being
logged to the application log.
mail02.tapnet.net:smtp -n smtp -o /tmp/smtplog ; cat /tmp/smtplog

The answer's easy: your mail server doesn't support STARTTLS at all.

$ telnet mail02.tapdesign.com 25
220 mail02.tapdesign.com -- Server ESMTP (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
EHLO example.com
250-mail02.tapdesign.com
250-8BITMIME
250-PIPELINING
250-DSN
250-XDFLG
250-ENHANCEDSTATUSCODES
250-EXPN
250-HELP
250-SAML
250-SEND
250-SOML
250-TURN
250-XADR
250-XSTA
250-XCIR
250-XGEN
250-XLOOP FC3D20293E1AE6CC87437B716AD62D00
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN
250-ETRN
250-RELAY
250 SIZE 0
quit
221 2.3.0 Bye received. Goodbye.

There's no way for Stunnel to attempt to negotiate SSL if
your server doesn't support it.

--
Brian Hatch $ perl -e \
Systems and '$pi -= ($_%4-2)*4/$_++
Security Engineer while ++$_ < 3e5;
http://www.ifokr.org/bri/ printf "%.5f\n",$pi'

Every message PGP signed

Leland T. Snyder

2004-07-28 16:47:57 UTC

Permalink

Evidently the remote mail server was not set to support TLS from smtp.
I'm addresssing this isssue on the system.

-Lee

----- Original Message -----
From: "Leland T. Snyder" <***@x3CI.com>
To: <stunnel-***@mirt.net>
Sent: Tuesday, July 27, 2004 1:09 AM
Subject: attempting to establish stunnel smtp connection to remote server

Post by Leland T. Snyder
I'm am trying to establish a stunnel connection to a remote mail server
(using iPlanet ) , I know my local OpenSSl certs are in order, because I

can

Post by Leland T. Snyder
establish a connection with a sendmail smtp serve in TLS mode with no
problems. I am using a self signed cert for the client system . . .
non-RFC 2487 compliant , just means it is a mail server that does not
support full smtp protocol.
guess I need to diagnose this on the server end, maybe an error is being
logged to the application log.
mail02.tapnet.net:smtp -n smtp -o /tmp/smtplog ; cat /tmp/smtplog
220 mail02.tapdesign.com -- Server ESMTP (iPlanet Messaging Server 5.2
HotFix 1.21 (built Sep 8 2003))
2004.07.27 00:21:35 LOG5[8737:8192]: Using 'mail02.tapnet.net.smtp' as
tcpwrapper service name
2004.07.27 00:21:35 LOG6[8737:8192]: PRNG seeded successfully
2004.07.27 00:21:35 LOG5[8737:8192]: stunnel 3.22 on i386-redhat-linux-gnu
PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001
2004.07.27 00:21:36 LOG3[8737:8192]: Remote server is not RFC 2487

compliant

Post by Leland T. Snyder
2004.07.27 00:21:36 LOG3[8737:8192]: Protocol negotiations failed
Any help would be greatly appreciated.
-Leland T. Snyder