Hello Ludof,

so, what would you recommend me?

I tried also another way, setting stunnel-config like this (without
127.0.0.1):

...
accept = 110
...
accept = 143
...
accept = 25

for each service. The problem remains:

...
2016.03.30 11:51:47 LOG7[main]: Service [df-pop3s] accepted (FD=468) from
127.0.0.1:4937
2016.03.30 11:51:47 LOG7[main]: Creating a new thread
2016.03.30 11:51:47 LOG7[main]: New thread created
2016.03.30 11:51:47 LOG7[0]: Service [df-pop3s] started
2016.03.30 11:51:47 LOG5[0]: Service [df-pop3s] accepted connection from
127.0.0.1:4937
...

I *have* to configure my mail-client to use/listen on 127.0.0.1 to get in
touch with stunnel. Or is there another way?

I configured my system that way, because someone posted a "workaround" how
to solve the mess with of Aviras "blindness" when trying to scan e-mails
within a ssl-connection to the mailprovider. And it was working perfectly
that way!!!
So I don't understand, why it is not working anymore now and it conflicts
now on localhost.

Kind regards,
Ivan

Hi Ivan,

Check your virus scanner.
It's perfectly o.k. to have stunnel listening on 127.0.0.1:110 and the
mail client connecting from 127.0.0.1 using an arbitrary port.

Again, each IP connection has two ends, each of which is characterized
by IP address and port number. I your example, this is

(mail client) 127.0.0.1:1878 ---> 127.0.0.1:110 (stunnel)

This is how IP is designed to work.
It does not conflict. Stunnel works as expected, but your virus
scanner doesn't work. Maybe it stopped intercepting traffic on
localhost (but that's a wild guess).

HTH,

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Hi Ludolf,
OK, I already did this. I configured my mail-client to connect to my
mailprovider *without encryption* for testing and Avira checked the e-mails.
So it is working. From the moment I switch back to 127.0.0.1 in my e-mail
client config Avira turns "blind" again :-/
So I will have to do some more debugging :-(

Thanks!

Regards,
Ivan

I thought the virus scanners are intercepting the network traffic
between TCP/IP stack and Ethernet driver and thus don't have to do
anything with TCP ports.

If the virus scanner would work as an IP application (as stunnel
does), the viruses had to cooperate with the scanner in order to be
detected.

Ludolf
--
Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796

Ludolf,

You're probably right. I'm also doing a wild guess here. But the only way to solve the problem is to know and understand the traffic flow.

Regards
Jose

Hi Josealf,

I just tell Avira e-mail scanner on which ports it has to listen (POP3: 110
/ IMAP: 143 / SMTP: 25).
I can't configure any IP - but this is not necessary, because as I mentioned
before: When configuring the e-mail client with an unencrypted and direct
connection to my mailprovider, Avira is able to scan the e-mails. So it
already listens on localhost.

I found that workaround here:

https://answers.avira.com/de/question/avira-email-schutz-blockiert-ssltlssta
rttlsverbindung-9253

And Outlook & Thunderbird are listening on 127.0.0.1:110, 127.0.0.1:143,
127.0.0.1:25 ... it worked!!!

I think from the moment I installed stunnel as a service problems started.
The servive-daemon also told me, that there is no config (?!).
So I switched back to the "GUI Start" and now it doesn't work any more :-/
same interface.

OK, I can change the listening ports (both in stunnel and/or Avira), but how
do I get them to work together then?
Sorry, I'am a litte bit confused now...
Well, this seem logical to me, but when I switch off the mail-scanner it
doesn't interrupt the fetching or sending, only when I stopt stunnel e-mails
can't be fetched or send any more. So it seems to me somehow the mail-client
connects directly to stunnel?
Yes, that's right.

Regards,
Ivan

Ivan,
I checked the references. It looks like Avira works more or less as Ludolf thinks. Somehow, it intercepts connections to SMTP, POP3 and IMAP servers. The scan should be transparent to both mail client and server. If the traffic is encrypted between client and server, it can't scan it. 
Now, a connection can start in the standard (non-encrypted) ports and it can be upgraded to a secure one. If this happens, Avira blocks the connection. To avoid this, you must ensure your mail client communicates only in clear text. This is the crucial part. No SSL/TLS/STARTTLS allowed.
https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/935



So, I think your workaround configuration should work. Set your accepts to 127.0.0.1:port (where port=25,110,143). This blocks connections from other machines to your stunnel service.
Configure your e-mail client to send mail via 127.0.0.1:25 and fetch POP3 and IMAP Mail from 127.0.0.1:110 and 127.0.0.1:143 only with no encryption. Note: your mail client is NOT listening on those ports (stunnel is or will be listening). Your mail client connects to those ports.

Test as follows:
1. Disable Avira.2. If you have stunnel in service mode, make sure it is stopped.
2. Start stunnel in application mode. Make sure there are no errors. The log should tell you it is listening on ports 25,110,143. You can also use tcpview utility from sysinternals (now Microsoft) to verify this.
3. Try sending/receiving e-mail.4. If this works, enable Avira and test again.5. Report results.


Regards,Jose

On Wednesday, March 30, 2016 8:51 AM, Ivan De Masi <***@blu-it.de> wrote:




I just tell Avira e-mail scanner on which ports it has to listen (POP3: 110
/ IMAP: 143 / SMTP: 25).
I can't configure any IP - but this is not necessary, because as I mentioned
before: When configuring the e-mail client with an unencrypted and direct
connection to my mailprovider, Avira is able to scan the e-mails. So it
already listens on localhost.

I found that workaround here:

https://answers.avira.com/de/question/avira-email-schutz-blockiert-ssltlssta
rttlsverbindung-9253

And Outlook & Thunderbird are listening on 127.0.0.1:110, 127.0.0.1:143,
127.0.0.1:25 ... it worked!!!  --- WRONG

I think from the moment I installed stunnel as a service problems started.
The servive-daemon also told me, that there is no config (?!).
So I switched back to the "GUI Start" and now it doesn't work any more :-/

Well, this seem logical to me, but when I switch off the mail-scanner it
doesn't interrupt the fetching or sending, only when I stopt stunnel e-mails
can't be fetched or send any more. So it seems to me somehow the mail-client
connects directly to stunnel?
Yes, that's right.

Regards,
Ivan

Hi Jose,

thanks for your effort!

What you describe is exact the way I already configued stunnel & the
mail-clients. Stopping Avira doesn't make any difference - e-mails still can
be send or recieved.
tcpview showed me the the listening ports as expected 25,110,143 PLUS two
ports above Port 8000 (e.g. 8248 & 8249):

stunnel.exe 6992 TCP 127.0.0.1 25 0.0.0.0 0 LISTENING
stunnel.exe 6992 TCP 127.0.0.1 110 0.0.0.0 0 LISTENING
stunnel.exe 6992 TCP 127.0.0.1 143 0.0.0.0 0 LISTENING
stunnel.exe 6992 TCP 127.0.0.1 8248 127.0.0.1 8249 ESTABLISHED
stunnel.exe 6992 TCP 127.0.0.1 8249 127.0.0.1 8248 ESTABLISHED

BUT what I tried again: Instead of setting 127.0.0.1:port (25,11,143) in the
mail-client config, I switched back to pop3.my-provider.net /
imap.my-provider.net / smtp.my-provider.net with no SSL/TLS/STARTTLS and
then Avira is able to scan the e-mails!!!
So my suspicion is, that when setting the mail-client config to
127.0.0.1:port, stunnel gets the e-mails BEFORE Avira and sends them across
the encrypted tunnel (and Avira is again not able to read the traffic inside
that tunnel). So the traffic flow with the 127.0.0.1:port settings is:
Client -> stunnel -> Avira (blind) -> provider

I still wonder how I ever got the setup running successful when the traffic
flow really is going that way.

Regards,
Ivan


_____

Von: Jose Alf. [mailto:***@rocketmail.com]
Gesendet: Donnerstag, 31. März 2016 05:22
An: ***@blu-it.de; stunnel-***@stunnel.org
Betreff: Re: [stunnel-users] Incoming port ignored



Ivan,


I checked the references. It looks like Avira works more or less as Ludolf
thinks. Somehow, it intercepts connections to SMTP, POP3 and IMAP servers.
The scan should be transparent to both mail client and server. If the
traffic is encrypted between client and server, it can't scan it.

Now, a connection can start in the standard (non-encrypted) ports and it can
be upgraded to a secure one. If this happens, Avira blocks the connection.
To avoid this, you must ensure your mail client communicates only in clear
text. This is the crucial part. No SSL/TLS/STARTTLS allowed.

https://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/935




So, I think your workaround configuration should work. Set your accepts to
127.0.0.1:port (where port=25,110,143). This blocks connections from other
machines to your stunnel service.

Configure your e-mail client to send mail via 127.0.0.1:25 and fetch POP3
and IMAP Mail from 127.0.0.1:110 and 127.0.0.1:143 only with no encryption.
Note: your mail client is NOT listening on those ports (stunnel is or will
be listening). Your mail client connects to those ports.


Test as follows:

1. Disable Avira.
2. If you have stunnel in service mode, make sure it is stopped.

2. Start stunnel in application mode. Make sure there are no errors. The log
should tell you it is listening on ports 25,110,143. You can also use
tcpview utility from sysinternals (now Microsoft) to verify this.

3. Try sending/receiving e-mail.
4. If this works, enable Avira and test again.
5. Report results.



Regards,
Jose


On Wednesday, March 30, 2016 8:51 AM, Ivan De Masi <***@blu-it.de>
wrote:





I just tell Avira e-mail scanner on which ports it has to listen (POP3: 110
/ IMAP: 143 / SMTP: 25).
I can't configure any IP - but this is not necessary, because as I mentioned
before: When configuring the e-mail client with an unencrypted and direct
connection to my mailprovider, Avira is able to scan the e-mails. So it
already listens on localhost.

I found that workaround here:

https://answers.avira.com/de/question/avira-email-schutz-blockiert-ssltlssta
rttlsverbindung-9253

And Outlook & Thunderbird are listening on 127.0.0.1:110, 127.0.0.1:143,
127.0.0.1:25 ... it worked!!! --- WRONG

I think from the moment I installed stunnel as a service problems started.
The servive-daemon also told me, that there is no config (?!).
So I switched back to the "GUI Start" and now it doesn't work any more :-/

Well, this seem logical to me, but when I switch off the mail-scanner it
doesn't interrupt the fetching or sending, only when I stopt stunnel e-mails
can't be fetched or send any more. So it seems to me somehow the mail-client
connects directly to stunnel?
Yes, that's right.

Regards,

Ivan