11445 questions

13635 answers

21396 comments

32116 members

0 votes
505 views 6 comments
by

Hello,

We are using Stunnel on a RUT230 to add security to our emails, as the device we use to send the emails does not offer TLSv1.2

This is set to listen on the LAN IP address, port 2525.  Authentication is provided by the device (SMTP LOGIN), so Stunnel is just providing the TLS wrapper.  All works exactly as we require when first started

PS shows Stunnel running, pid for the process is correctly listed in /var/run/stunnel/stunnel.pid, and netstat confirms this is listening on 2525.  Emails are sent and received as expected, and work multiple times.

After a while, the port is closed.  Checking the router, netstat shows that there is nothing listening on the port.  PS shows that there is no Stunnel process running.  There is no pid file at /var/run/stunnel/stunnel.pid

I cannot determine why the process is stopping.  I guess it is closing cleanly as the pid file is removed.

One possibility is that the devices are set to reboot, and the port close may be related to this.  This would be the only device on LAN, so possibly the interface is going down completely when shows no cable connected to the port.  However when I tried to reboot the device on LAN manually the process on the router continued to run and emails were able to be sent after the device came back up.

I have tried checking logread, but doesn't appear to log far enough back in time to pick up any events.  

Logread sows entries when checked after stunnel is started and listening:

Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: stunnel 5.50 on mips-openwrt-linux-gnu platform
Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.1c  28 May 2019
Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: Reading configuration from file /tmp/etc/stunnel.conf
Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: FIPS mode disabled
Tue Aug 25 00:27:49 2020 daemon.warn stunnel: LOG4[ui]: Service [SMTPHWE] needs authentication to prevent MITM attacks
Tue Aug 25 00:27:49 2020 daemon.notice stunnel: LOG5[ui]: Configuration successful

 Checking logread | grep stunnel after port is closed there are no entries

root@Teltonika-RUT240:/tmp/etc# cat stunnel.conf
; STunnel configuration file generated by uci
; Written Tue Aug 25 00:27:48 2020

foreground = quiet
pid = /var/run/stunnel/stunnel.pid
debug = 5

[SMTPHWE]
protocol = smtp
protocolAuthentication = plain
client = yes
connect = xxx.xxx.xxx:587
accept = 192.168.10.240:2525

Firmware shows as being latest:

Firmware version RUT2XX_R_00.01.12.3
Firmware build date 2020-06-15, 07:45:00
Kernel version 3.18.44
Bootloader version 3.2.1

Any suggestions for how to resolve this or further troubleshooting?

Thanks

Jack

1 Answer

0 votes
by
Hi,

Have you opened Stunnel port manually?

EB.
by
No, set this up using the WebUI (Services, VPN, Stunnel). Seemed to work ok on RUT900 doing it that way
by
Just to be sure, could you open Stunnel port in the firewall manually? And check if anything changes.

EB.
by
I have now opened the Stunnel port (2525) manually in the firewall with access from any host in LAN.  The port is still closing, with no Stunnel process running when checked in SSH

I have also noticed that although there is an enabled check button for the configuration on the Stunnel WebUI pages, it seems to make no difference if this is checked or unchecked - the port is open and service is running regardless (until the process terminates for unknown reason).  Checking the configuration file (/tmp/etc/stunnel.conf) generated by uci, this has no changes whether the box is ticked or not.  I don't know if this is related to the service terminating or not

Any further thoughts on this?

Jack
by
Hi,

Could you send me the troubleshoot file via private message?

Make sure you download it after the issue appears (after the termination).

EB.
by
Just realised that this device is set to reboot periodically and on loss of mobile signal.  Stunnel is not starting when the device has rebooted.

I could just set a user script to start this, but is there a better way to cause this service to start when the device boots?  I assume if it is started as a true daemon service then it will have some sort of PID control and possibly monitoring?

Can send the diagnostic logs if this would help, but for now I have assumed this new information may change the investigation into this issue

Thanks

Jack
by

Hi,

Glad you found the issue. If you want to start/restart/stop Stunnel once your system is fully booted up, you can do it by editing /etc/rc.local file.

Navigate to /etc folder and edit rc.local (you can do that with command vi).

Create a new line before exit line and insert one of these commands:

/etc/init.d/stunnel start

/etc/init.d/stunnel restart

/etc/init.d/stunnel stop

Save the file and reboot the router.