Implicit TLS on port 465 via stunnel

[zdeneksvarc]

Update: You can take a look at this repo → TLS add-on for Postal delivery platform (HTTS, StartTLS, SMTPS)

I'd like to share a simple solution for implicit TLS, because the Postal server doesn't support it yet. Unlike opportunistic TLS (STARTTLS). However, STARTTLS is not so much supported in software libraries and also RFC8314 (2018) moves away from STARTLS.

~ > swaks -f [email protected] -t [email protected] -s postal.server:465 -a login -au xxx -ap gTx4d...7Xftl -tlsc
=== Trying postal.server:465...
=== Connected to postal.server.
=== TLS started with cipher TLSv1.3:AEAD-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=postal.server"
<~  220 postal.server ESMTP Postal/GX4TNQ
 ~> EHLO imac.local
<~  250-My capabilities are
<~  250-STARTTLS
<~  250 AUTH CRAM-MD5 PLAIN LOGIN
 ~> AUTH LOGIN
<~  334 VX...WU6
 ~> eHh4
<~  334 UGF...mQ6
 ~> S0J4NG..........QTdYNnRs
<~  235 Granted for account
 ~> MAIL FROM:<[email protected]>
<~  250 OK
 ~> RCPT TO:<[email protected]>
<~  250 OK
 ~> DATA
<~  354 Go ahead
 ~> Date: Wed, 31 Aug 2022 00:49:05 +0200
 ~> To: email
 ~> From: email
 ~> Subject: test Wed, 31 Aug 2022 00:49:05 +0200
 ~> Message-Id: <[email protected]>
 ~> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mailing
 ~> 
 ~> 
 ~> .
<~  250 OK
 ~> QUIT
<~  221 Closing Connection
=== Connection closed with remote host.

As you can see, stunnel and Postal works. After all, there is no reason for it not to work 🙂 Anyway, here's a visual glitch, 250-STARTLS. It's logical, because stunnel wraps port 25 as is, including the STARTLS offer. However, there is no reason to worry, because if the client is accessing port 465 with implicit TLS, there is no reason to follow the STARTTLS offer with additional encryption. If it did, in theory, TLS over TLS encapsulation could work. If anyone tries this, let me know 🤓

The simplest, yet working stunnel.conf configuration to try in the console:

foreground = yes
debug = 7

[SMTPS]
accept  = 465
connect = 25
cert = <path-to-file.crt>
key = <path-to-file.key>

The port can be tested via openssl s_client -connect postal.server:465, via swaks (-tlsc) or directly from the mail client.

The production configuration should have a limited range of protocols for security reasons (TLS 1.2, TLS 1.3), of course run in the background and so on. This is my configuration for stunnel v4 (Debian 11). If you understand cryptography and stunnel configuration, I'd be glad if you tweak the configuration file.

# Global options

; It is recommended to drop root privileges if stunnel is started by root
;setuid = stunnel4
;setgid = stunnel4

; PID file is created inside the chroot jail (if enabled)
pid = /var/run/stunnel.pid

; Debugging stuff
;foreground = yes
;debug = 7
;output = /var/log/stunnel.log

; FIPS MOde
fips = no

; TLS Configuration file
;sslVersionMin = TLSv1.2
;sslVersionMax = TLSv1.3

options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

ciphersuites = TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
curves = X25519:P-256:X448:P-521:P-384
options = NO_COMPRESSION
options = NO_TICKET

# Services

[SMTPS]
accept  = 465
connect = 25
cert = <path-to-file.crt>
key = <path-to-file.key>

This configuration runs nicely on Debian 11 / systemd:

• sudo systemctl enable stunnel4
• sudo systemctl status stunnel4.service

I hope I helped a little. The Postal server is an excellent project and @willpower232 deserves some praise 🫡

[kluvi]

Hi.
Thanks for the idea of using stunnel...

My setup is much simpler.. just using some preconfigured docker image. Just add this to docker-compose.yml. I have my own ansible playbook to manage Postal and not using the installer, so you must edit both docker-compose and its template.

  stunnel:
    image: dweomer/stunnel
    restart: always
    network_mode: host
    volumes:
      - ./config/smtp.cert:/etc/stunnel/stunnel.pem:ro
      - ./config/smtp.key:/etc/stunnel/stunnel.key:ro
    environment:
      STUNNEL_SERVICE: smtps
      STUNNEL_ACCEPT: 465
      STUNNEL_CONNECT: localhost:25

(certificates are generated by certbot and the same as for STARTTLS)

[ThatProgrammerr]

Thanks for the awesome workaround.

[zdeneksvarc]

Hey @kluvi thanks for the mention of dockerized Stunnel.

I developed this idea and also dockerized Socat to mirror port 25 to 587, which is standard for StarTLS mail submission.

• https://github.com/zdeneksvarc/postal-tls/blob/main/docker-compose.yml

[willpower232]

Thanks for this information, sounds like a great workaround for now. Save your praise for @adamcooke @catphish and the others from Krystal though 🙏

[zdeneksvarc]

Update → TLS add-on for Postal delivery platform (HTTS, StartTLS, SMTPS)