[stunnel-users] Stunnel for secure email connections
uklee at ukonline.co.uk
Mon May 25 22:08:31 CEST 2009
Thanks again, Guy, I appreciate your efforts there.
So I don't have to do anything regarding certificates or digital
signatures, or anything along those lines? I just install OpenSSL and
Stunnel, configure stunnel.conf, tweak Thunderbird's accounts settings
and Avast's ports, and go with it?
> So what you have to do to proxy the connections through Avast! I don't
> know, you'll need to show.
> Do you *really* need to scan your outbound connections?
This whole thing is more of a challenge / experiment than anything else.
Certainly, scanning my SMTP connection(s) is far from important.
Off this specific Stunnel issue but related:-
For the last day or so, I've gone back to my 'old' setup of TB + Popfile
+ Avast, and I've noticed that emails from my 'secure' POP connections
are actually being scanned by Avast. They probably have been for some
time and I didn't notice, but only recently have I turned on the 'adding
of notes' in Avast's email scanner which adds an email footer along the
lines of 'Avast found this message to be clean'.
I assume this scanning of 'secure' emails is a convenient byproduct
somehow or other of routing the secure connections through Popfile.
For reference, Popfile is listening on its default port of 110, and the
Avast email scanner currently also only has port 110 in its POP
redirected ports settings. Thunderbird has the host for those accounts
as 127.0.0.1, also on port 110, and the username is in the form of:
which Popfile requires. The :ssl is required by Popfile to handle secure
I do notice that non-secure connections' emails end up with the scanning
footer being added twice, suggesting Avast is double scanning them.
Secure connections' emails only get the one footer added.
So all told, all incoming email seems to be scanned by Avast, albeit
some of it twice.
> Your stunnel configuration file has 2 [popmail] service names, that
> will be confusing. And why do you have a [popmail] and [pop3_sky]
> connecting to the same MTA?
That is because I don't know what I'm doing :)
I originally built stunnel.conf without catering for Popfile, then I
wanted to introduce Popfile into the equation, so I found the below
advice page regarding Popfile and Stunnel :-
It appears I wrongly guessed how to interpret that advice on what to add
I have since had some clarification on this from a query I raised on
this at the Popfile forums:-
> Did you enable debugging within stunnel?
> Global options:
> debug = debug
> output = stunnel.log
Yes, I did try that, and dabbled a little with the packet sniffers.
However I didn't find it any easier to pinpoint what was actually going
on regarding the prescence or otherwise of a secure connection.
ie I don't know what I'm looking at/for.
At the moment, my only method of 'testing' what is 'probably' going on,
is to open or close parts of my local chain, and thereby build an
apparent picture of what is happening.
My original doubts of 'am I actually achieving a secure connection using
Stunnel and my local chain' are not grounded in anything; I am/was just
wanting to somehow avoid just assuming I had set everything up properly.
More information about the stunnel-users