I'm setting up stunnel so a non SSL enabled app can access a Gmail / Google Apps account. Here's the config I'm using:
CLIENT=YES
[pop3s]
accept = 110
connect = pop.gmail.com:995
[imaps]
accept = 143
connect = imap.gmail.com:993
[ssmtp]
accept = 25
connect = smtp.gmail.com:465
I've generated the .pem file, ok. But it fails and logs the following error:
Clients allowed=125
stunnel 4.50 on x86_64-apple-darwin11.2.0 platform
Compiled/running with OpenSSL 0.9.8r 8 Feb 2011
Threading:PTHREAD SSL:ENGINE Auth:none Sockets:SELECT,IPv6
Reading configuration from file ./tools/stunnel.conf
Snagged 64 random bytes from /Users/synergist/.rnd
Wrote 1024 new random bytes to /Users/synergist/.rnd
PRNG seeded successfully
Initializing SSL context for service pop3s
Insecure file permissions on stunnel.pem
Certificate: stunnel.pem
Certificate loaded
Key file: stunnel.pem
Private key loaded
SSL options set: 0x01000004
SSL context initialized
Initializing SSL context for service imaps
Insecure file permissions on stunnel.pem
Certificate: stunnel.pem
Certificate loaded
Key file: stunnel.pem
Private key loaded
SSL options set: 0x01000004
SSL context initialized
Initializing SSL context for service ssmtp
Insecure file permissions on stunnel.pem
Certificate: stunnel.pem
Certificate loaded
Key file: stunnel.pem
Private key loaded
SSL options set: 0x01000004
SSL context initialized
Configuration successful
Option SO_REUSEADDR set on accept socket
Error binding pop3s to 0.0.0.0:110
bind: Permission denied (13)
Service pop3s closed FD=5
str_stats: 168 block(s), 8340 data byte(s), 8400 control byte(s)
Why can't stunnel bind to 110? Is there something already bound to 110, if so how can I find out what this is?
Update: I've got stunnel running by using sudo, is there a way to make it run without?
As you have already stated in your update and the following output tells you:
You'll need elevated privileges to bind a service to a port. From the top of my head I believe non-root users can only bind services to ports above 1024 and 0-1024 is reserved for root.
As far as your question for finding out what service is listening on a port concerns, you can check that with
lsof
using:lsof -i tcp:110
. If you don't have lsof installed on your server, netstat can be of use as well, but is a little less efficient (e.g.netstat -an|grep -i listen
to show all "listening" processes, additionally add anothergrep ':110'
to filter on that as well.You cannot bind to ports <= 1024 without root permissions, this is a security thing. If you set your ports > 1024, you should be fine.