Skip to main content
Skip table of contents

TLS

SMPP over TLS and HTTPS is implemented for the SMPP Router using stunnel.

Setting up TLS with stunnel for SMPP and HTTP using Let’s Encrypt

This guide outlines how to configure stunnel to add TLS support to your SMPP Router. It will terminate TLS connections and forward them to internal services: SMPP on port 2775 and HTTP on port 80. Certificates are provisioned using Let’s Encrypt.

Prerequisites

  • A Debian 12 server or compatible Linux distribution

  • Root or sudo access

  • Installed services:

    • SMPP Router listening on localhost:2775 for SMPP connection

    • SMPP Router listening on localhost:80 for HTTP API calls

  • A domain name pointing to the server’s public IP (e.g. http://yourdomain.com) or a Melrose Labs subdomain (e.g. example.smpprouter.melroselabs.com)

  • TCP ports 443 and 8775 open on the firewall

1. Install Required Packages

CODE 
sudo apt update
sudo apt install stunnel4 certbot

Enable and allow stunnel to run:

CODE 
sudo systemctl enable stunnel4

2. Obtain a TLS Certificate from Let’s Encrypt

For your own domain:

CODE 
sudo certbot certonly --standalone -d yourdomain.com

For a *.smpprouter.melroselabs.com hostname (allocated via Support):

CODE 
sudo certbot certonly --standalone -d example.smpprouter.melroselabs.com

Certificates will be saved in /etc/letsencrypt/live/<yourdomain>/.

3. Configure stunnel

Edit the stunnel configuration file:

CODE 
sudo nano /etc/stunnel/stunnel.conf

Paste the following configuration, adjusting the cert and key paths accordingly:

CODE 
; Enable TLS server mode
foreground = no
pid = /var/run/stunnel.pid
output = /var/log/stunnel.log
cert = /etc/letsencrypt/live/yourdomain.com/fullchain.pem
key = /etc/letsencrypt/live/yourdomain.com/privkey.pem
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3

[https]
accept = 443
connect = 127.0.0.1:80
protocol = http

[smpp]
accept = 8775
connect = 127.0.0.1:2775

4. Set Permissions and Restart stunnel

Ensure proper permissions on the certificate and restart stunnel:

CODE 
sudo chmod 640 /etc/letsencrypt/live/yourdomain.com/privkey.pem
sudo chown root:stunnel4 /etc/letsencrypt/live/yourdomain.com/privkey.pem
sudo systemctl restart stunnel4

5. Test TLS Access

  • HTTPS: Visit https://yourdomain.com — you should be routed to your API.

  • SMPP over TLS: Connect an SMPP client to yourdomain.com:8775 using TLS.

6. Automate Certificate Renewal

Edit the renewal hook for certbot:

CODE 
sudo nano /etc/letsencrypt/renewal-hooks/post/restart-stunnel.sh

Add the following:

CODE 
#!/bin/bash
systemctl restart stunnel4

Make it executable:

CODE 
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/restart-stunnel.sh

Test automatic renewal:

CODE 
sudo certbot renew --dry-run

Notes

  • If using a Melrose Labs domain, contact support@melroselabs.com to request your allocated subdomain and have DNS configured.

  • Ensure your firewall or cloud security group allows TCP 443 (HTTPS) and 8775 (SMPP TLS).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close