HOWTO: Use SSL/port 465 in smarthost

saitobenkei · April 26, 2017, 6:35am

Smarthost currently doesn’t permit to use port 465 with SSL to connect to a SMTP server:

Tested in Nethserver V6.8 with Aruba SMTP server
Maybe works in Nethserver V7 too

2017.06.21 EDIT: Yes, it works in v7 too
2021.03.10 EDIT: Added sslVersion parameter to stunnel.conf

This is the solution:

Install stunnel:

yum install stunnel

Create a stunnel file configuration:

vi /etc/stunnel/stunnel.conf

With these lines

output=/var/log/stunnel

[smtp-tls-wrapper]
accept=127.0.0.1:11125
client=yes
sslVersion=TLSv1.2
connect=Your.ISP.SMTP.Server:465

Where Your.ISP.SMTP.Server is the SMTP server of your ISP

Create a file

vi /etc/rc.d/init.d/stunnel

With these lines

#!/bin/bash
#
# Init Script to run stunnel in daemon mode at boot time.
#
# Author: Riccardo Riva - RPM S.r.l.
# Revision 1.0  -  2010 November, 11
#
# Revision 1.1 - 2015 September, 21
#
# 
# Changed definition of SEXE variable to find automatically the path of stunnel
#

#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel
# processname: stunnel
#
# Run "/sbin/chkconfig --add stunnel" to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================

#====================================================================
# Paths and variables and system checks.

# Source function library
. /etc/rc.d/init.d/functions

# Check that networking is up.
#
[ ${NETWORKING} ="yes" ] || exit 0

# Path to the executable.
#
SEXE=`which stunnel`

# Path to the configuration file.
#
CONF=/etc/stunnel/stunnel.conf

# Check the configuration file exists.
#
if [ ! -f $CONF ]
then
	echo "The configuration file cannot be found!"
	exit 0
fi

# Path to the lock file.
#
LOCK_FILE=/var/lock/subsys/stunnel

#====================================================================

# Run controls:

prog=$"stunnel"

RETVAL=0

# Start stunnel as daemon.
#
start() {
	if [ -f $LOCK_FILE ]
	then
		echo "stunnel is already running!"
		exit 0
	else
		echo -n $"Starting $prog: "
		$SEXE $CONF
	fi

	RETVAL=$?
	[ $RETVAL -eq 0 ] && success
	echo
	[ $RETVAL -eq 0 ] && touch $LOCK_FILE
	return $RETVAL
}


# Stop stunnel.
#
stop() {
	if [ ! -f $LOCK_FILE ]
	then
		echo "stunnel is not running!"
		exit 0

	else

		echo -n $"Shutting down $prog: "
		killproc stunnel
		RETVAL=$?
		[ $RETVAL -eq 0 ]
		rm -f $LOCK_FILE
		echo
		return $RETVAL

	fi
}

# See how we were called.
case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart)
		stop
		start
		;;
	condrestart)
		if [ -f $LOCK_FILE ]
		then
			stop
			start
			RETVAL=$?
		fi
		;;
	status)
		status stunnel
		RETVAL=$?
		;;
	*)
		echo $"Usage: $0 {start|stop|restart|condrestart|status}"
		RETVAL=1	
esac

exit $RETVAL

Then chmod it:

chown root:root /etc/rc.d/init.d/stunnel  
chmod 755 /etc/rc.d/init.d/stunnel

And make it starting at boot:

chkconfig stunnel on

Start the service:

service stunnel start

In dashboard → Email → tab “Messages” → check “Send using a smarthost”
then:

Hostname: 127.0.0.1
Port: 11125
Username: put the username of Your ISP SMTP Server
Password: put the password of Your ISP SMTP Server
Allow unencrypted connections: checked

Then click to “Submit”

Et Voila’, all works!

If some parameters of your ISP SMTP server changed, remember to modify the /etc/stunnel/stunnel.conf file then restart stunnel with the command

service stunnel restart

alefattorini · April 26, 2017, 1:18pm

Thanks @saitobenkei many people asked that in the past.

stephdl · April 29, 2017, 6:46am

Thanks for this howto. This is not a missed feature but a real bug @dev_team

In this world all protocols must be encrypted

davidep · April 29, 2017, 8:03am

Thanks @saitobenkei for the how to!

@stephdl I think it’s a bug on the provider’s side

The 465 is deprecated since long time. It should be a last resort for legacy clients, not ~~legacy~~ the only one available on modern servers!

saitobenkei · April 29, 2017, 8:15am

465 is deprecated but works well, and in some cases and configuration is mandatory utilize it.

Read my whining here
http://community.nethserver.org/t/getmail-attachments/6650/8?u=saitobenkei

serpico · March 10, 2021, 8:28am

Thanks for script!
i followed it all but when i launch “service stunnel start” the system abort with this code:
job for stunnel.service failed because the control process exited with error code. See “systemctl status stunnel.service” and “journalctl -xe” for detailles.

saitobenkei · March 10, 2021, 10:05am

please double-check that you have entered everything correctly, especially that you have copied all the startup script without errors.
Also check that you have entered the stunnel configuration in /etc/stunnel/stunnel.conf and given the correct permissions (chown and chmod).

serpico · March 10, 2021, 1:12pm

so now work ( [ok] on start stunnel); there is possibility to ceck status of connection? because when set smarthost not connect. Sorry for my noob…

Update: check status…it’s ok. Now if don’t connect problem is on My smarthost configuration?

saitobenkei · March 10, 2021, 1:16pm

where did you configure the smarthost? in the cockpit?

If it is configured in the cockpit you have to put as smarthost 127.0.0.1, the port that you have indicated on stunnel and you have to uncheck “encrypted connections” (stunnel does the encryption).

Keep in mind that the PEC requires that each user has his personal login and password for receiving and sending, so you should follow this guide and leave the smarthost in cockpit empty or use it to send standard mails.

Example:

if your PEC are

pippo@pecsicura.it
pluto@pecsicura.it

paperino@pec.it
minni@pec.it

Which are its different PEC mail providers

in stunnel.conf

[smtp-pecsicura]
accept=127.0.0.1:11125
client=yes
sslVersion=TLSv1.2
connect=smtps.sicurezzapostale.it:465

[smtp-pec]
accept=127.0.0.1:11126
client=yes
sslVersion=TLSv1.2
connect=smtps.pec.aruba.it:465

in 29Relayhost_map put

pecsicura.it  127.0.0.1:11125
pec.it        127.0.0.1:11126

In 30Authentication put

pippo@pecsicura.it   PecLoginOfUserPippo:PecPasswordOfUserPippo
pluto@pecsicura.it   PecLoginOfUserPluto:PecPasswordOfUserPluto
paperino@pec.it      PecLoginOfUserPaperino:PecPasswordOfUserPaperino
minni@pec.it         PecLoginOfUserMinni:PecPasswordOfUserMinni

Remember when you make changes to these files to re-run the commands to load each file and service as written below each post

To download mail from external PEC boxes to Nethserver users you can use the cockpit pop3connector which has some limitations

To see the current limitations and an “enhanced” version look here:

Also remember to set the from field of the mail clients hooked to the PEC users with the correct PEC address and don’t leave the one of the Nethserver user or empty because it’s that field that determines with which smarthost the mail must go out.

serpico · March 10, 2021, 1:31pm

sorry for the question…maybe it’s crazy idea…but i have a PEC with multiple access with user MIxxxx and password…but same address (pippo@pec.rossi.it with mi54597 and mi487263 user). If i create more relay for each account? it’s possible?
Ps yes set in cockpit and set smarthost with 127.0.0.1 and 11125 (the same of conf example) but when test connection have a “X”

serpico · March 10, 2021, 1:33pm

ok thanks, but in the form i see that use pop…i set connector with imap; i think it ok because we work with the sending

serpico · March 10, 2021, 1:59pm

@saitobenkei I think it is right to describe my situation so that I can help you understand me.
I created this mail server because I have to:
-create “local” users who exchange mail between offices and send mail to be sent OUTSIDE to an office (telegraph)

the telegraph office receives on a public folder (shared between the colleagues of this office) the internal mail to be sent OUT and the mail coming from OUTSIDE the certified e-mail (the only office to receive).
However, this office can send OUT via this PEC (which has a single address but with differentiated accesses = mario@rossi.it with users mi22435 and mi56663)
having said that everything works except the sending on the pec
i hope that help you

saitobenkei · March 10, 2021, 2:05pm

reread my last post I expanded the information a bit

serpico · March 15, 2021, 9:17am

Thanks so much for the support, but it doesn’t work!
I set everything up as you told me, now when I do the test for the stunnel it is active and without errors.
When in the client I enter from: and enter, it says sent successfully but nothing comes outside. Is there any way to verify the connection?
PS the smarthost doesn’t even work if I try to use 127.0.0.1:11125 with my logins