TurnKey Linux Virtual Appliance Library

stunnel: Postfix and Amazon SES

edward's picture

Hi TKL Dev,

I'm having hard time to enable postfix to use Amazon SES see this link:

http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SMTP.MTAs.SecureTunnel.html

i did all procedures correctly but still unable to connect to localhost port 2525 to verify if stunnel is working.

tried netstat -ntlp to verify if port 127.0.0.1:2525 is listening

when you restart stunnel error looks like this:

 

2012.02.28 06:34:55 LOG7[3410:3074569920]: Snagged 64 random bytes from /root/.rnd
2012.02.28 06:34:55 LOG7[3410:3074569920]: Wrote 1024 new random bytes to /root/.rnd
2012.02.28 06:34:55 LOG7[3410:3074569920]: RAND_status claims sufficient entropy for the PRNG
2012.02.28 06:34:55 LOG7[3410:3074569920]: PRNG seeded successfully
2012.02.28 06:34:55 LOG3[3410:3074569920]: /etc/stunnel/stunnel.pem: No such file or directory (2)
 
so stunnel.pem is not exist;
 
i tried creating the cert using this command: 
openssl req -new -x509 -days 365 -nodes -config /etc/stunnel/stunnel.conf -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
 
result: 
 
error on line 1 of stunnel.conf
3595:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:366:line 1
 
Here's my stunnel.conf
 
; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)
 
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
 
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
 
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
 
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
 
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
 
; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log
 
; Use it for client mode
;client = yes
 
; Service-level configuration
 
[pop3s]
accept  = 995
connect = 110
 
[imaps]
accept  = 993
connect = 143
 
[ssmtp]
accept  = 465
connect = 25
 
;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0
 
; vim:ft=dosini
;this setting is from Amazon SES
[smtp-tls-wrapper]
accept = 2525
client = yes
connect = email-smtp.us-east-1.amazonaws.com:465
 
 

 

 Can anyone help me on this.

 

Edward

TKL Hub Subscriber

Jeremy's picture

Hey Edward

Ok the first thing that occurred to me was whether you have included port 2525 in your appliance's security profile (ie AWS 'firewall'). I doubt that is your problem but FWIW you'll need to do it at some point AFAIK.

As for your specific issue, I have had an extensive google and managed to find others with the same issue, but couldn't find any clear appropriate answer (most were on Windows)... So bottom line is, I'm not really any help to you at all sorry...

Easy fix

I found that an easy fix for this was just to remove the  -config /etc/stunnel/stunnel.conf  section from the command.


I also changed the path to the PEM to /etc/ssl/certs/stunnel.pem and it placed the .pem file in the location it needed to be instead of having to move it to /etc/ssl/certs.

Unless you're delivering directly to the stunnel interface from external you don't have to add 2525 to your firewall.  If the only connection is from your internal postfix then it does not traverse the firewall.

Koluskomtu's picture

Clarification

Hi,

so. I signed up for Amazon SES with a Drupal 7 turnkey linux instance. POSTFIX is installed. I followed the instructions from Amazon and all is running well. I setup a SMTP authenication module with TLS encryption. Test e-mails were sent as well as test e-mails from Amazon SES. My domain and gmail address are confirmed.   Do I need to disable postfix in Webmin or configure it by adding the stunnel.conf? I'm still awaiting a business license in order to get approval for a SSL certificate. Does that matter right now? I can remove the -config /etc/stunnel/stunnel.conf section. Run the command and change the path as Eric mentioned. openssl req -new -x509 -days 365 -nodes -config /etc/stunnel/stunnel.conf -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pemopenssl req -new -x509 -days 365 -nodes -config /etc/stunnel/stunnel.conf -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem

I guess I'm confused if postfix is being used at all in Drupal if the SMTP module is handling the task. The SMTP module asks for encryption so I selected TLS seeing I do not have a SSL cert. I entered in a user name and password but did little with the Amazon credentials. The password I customized in the SES section of AWS.

It seems SES works right out of the box on its own now if you use Route 53. All my DNS records were automatic. Will need to read up on the subject.

Any help would be super duper.

Thanks Edward and repliers alike.

 

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)