My stunnel.conf file looks like: debug = 7 cert = /usr/local/stunnel/etc/stunnel/stunnel.pem chroot = /usr/local/stunnel/var/run/ pid = /stunnel.pid output = stunnel.log CAfile = /usr/local/stunnel/etc/stunnel/certs.pem verify = 3 delay = yes client = yes setuid = stunnel setgid = stunnel . . . and the stunnel.log file: . . . 2004.11.07 16:49:10 LOG7[3794:1025]: smtps started 2004.11.07 16:49:10 LOG5[3794:1025]: smtps connected from 127.0.0.1:1143 2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net' 2004.11.07 16:49:10 LOG3[3794:1025]: Failed to initialize remote connection 2004.11.07 16:49:10 LOG7[3794:1025]: smtps finished (0 left) Removing chroot in stunnel.conf fixes the problem, but its no longer jailed. Hints? Thanks, John -- John Conover, conover@rahul.net, http://www.johncon.com/
"John Conover" <conover@rahul.net> wrote:
chroot = /usr/local/stunnel/var/run/ [cut] delay = yes [cut] 2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net' [cut] Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
Yes. You have several options: 1. As you noticed you can turn off chroot. 2. You can turn off delayed resolver (to resolve hosts at startup, before chroot). 3. You can create the files/devices your resolver library needs inside the chroot jail. strace is your friend: http://sourceforge.net/projects/strace/ 4. You can use IP address as "connect" parameter instead of domain name. 8-) Best regards, Mike
"John Conover" <conover@rahul.net> wrote:
2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net'
(...)
Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
(...)
3. You can create the files/devices your resolver library needs inside the chroot jail. strace is your friend: http://sourceforge.net/projects/strace/
ie: <chroot_jail_root>etc/resolv.conf should be enough. Olivier
Michal Trojnara writes:
"John Conover" <conover@rahul.net> wrote:
chroot = /usr/local/stunnel/var/run/ [cut] delay = yes [cut] 2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net' [cut] Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
Yes. You have several options: 1. As you noticed you can turn off chroot. 2. You can turn off delayed resolver (to resolve hosts at startup, before chroot). 3. You can create the files/devices your resolver library needs inside the chroot jail. strace is your friend: http://sourceforge.net/projects/strace/ 4. You can use IP address as "connect" parameter instead of domain name. 8-)
Thanks, Mike. Using IP addresses as a "connect" parameter worked like a charm. How do you make sure the remote/server stunnel is kept running? I haven't waded through the sources to stunnel, but is there a command line arg "if its not running, make it so," by checking the pid file as a lock file and check if the pid is valid as a stunnel process-so it could be run periodically out of cron(8) to keep it running, in case the remote went down? Or, something similar triggered by the client machine? Thanks, John BTW, as a sidebar, the -Wall gcc(1) command line arg in the compile of stunnel was a nice touch-shows the authors cared. -- John Conover, conover@rahul.net, http://www.johncon.com/
participants (3)
-
conover@rahul.net -
Michal Trojnara -
Olivier Kaloudoff