I’d like stunnel to pass the incoming IP along, not stunnel's IP. My traffic flow is: Stunnel (accept on port 465) -> ASSP (an smtp proxy) -> Postfix (accept on port 10026) I tried: [ssmtp] client = no accept = 465 connect = 25 protocol = proxy But ASSP had: Apr-15-19 18:50:22 [Worker_1] Connected: session:7FE104AA1870 127.0.0.1:58954 > 127.0.0.1:25 > 127.0.0.1:10026 Apr-15-19 18:50:23 [Worker_1] 127.0.0.1 warning: got reply '502 5.5.2 Error: command not recognized' from 127.0.0.1 Apr-15-19 18:50:23 id-18223-03317 [Worker_1] 127.0.0.1 info: sending EHLO instead of HELO to 127.0.0.1 Apr-15-19 18:50:23 id-18223-03317 [Worker_1] 127.0.0.1 disconnected: session:7FE104AA1870 127.0.0.1 - processing time 1 seconds And Postfix had: 2019-04-15 18:50:22.995042+1000 localhost smtpd[33360]: connect from localhost[127.0.0.1] 2019-04-15 18:50:23.108756+1000 localhost smtpd[33360]: improper command pipelining after EHLO from localhost[127.0.0.1]: RSET\r\n 2019-04-15 18:50:23.273664+1000 localhost smtpd[33360]: disconnect from localhost[127.0.0.1] ehlo=2 rset=1 quit=1 unknown=0/1 commands=4/5 So I take it protocol=proxy is not the way to do it. Sounds like this only works with haproxy which I do not have installed. Is there a way to do this? The problem I am trying to solve is ASSP has lines like: warning: SMTP authentication failed on 127.0.0.1 - obviously I don’t want fail2ban to ban 127.0.0.1. Stunnel log has: 2019.04.15 18:52:26 LOG5[23]: Service [ssmtp] accepted connection from ::ffff:185.222.209.66:53642 2019.04.15 18:52:27 LOG3[23]: s_connect: connect ::1:25: Connection refused (61) Any suggestions? Thanks, James.