[stunnel-users] Stunnel for secure email connections

Mon May 25 22:08:31 CEST 2009

Thanks again, Guy, I appreciate your efforts there.

So I don't have to do anything regarding certificates or digital 
signatures, or anything along those lines? I just install OpenSSL and 
Stunnel, configure stunnel.conf, tweak Thunderbird's accounts settings 
and Avast's ports, and go with it?

Guy wrote:
> So what you have to do to proxy the connections through Avast! I don't 
> know, you'll need to show.
> Do you *really* need to scan your outbound connections?
>   
This whole thing is more of a challenge / experiment than anything else. 
Certainly, scanning my SMTP connection(s) is far from important.

Off this specific Stunnel issue but related:-
For the last day or so, I've gone back to my 'old' setup of TB + Popfile 
+ Avast, and I've noticed that emails from my 'secure' POP connections 
are actually being scanned by Avast. They probably have been for some 
time and I didn't notice, but only recently have I turned on the 'adding 
of notes' in Avast's email scanner which adds an email footer along the 
lines of 'Avast found this message to be clean'.

I assume this scanning of 'secure' emails is a convenient byproduct 
somehow or other of routing the secure connections through Popfile.
For reference, Popfile is listening on its default port of 110, and the 
Avast email scanner currently also only has port 110 in its POP 
redirected ports settings. Thunderbird has the host for those accounts 
as 127.0.0.1, also on port 110, and the username is in the form of:
pop_server:username:ssl
which Popfile requires. The :ssl is required by Popfile to handle secure 
connections.

I do notice that non-secure connections' emails end up with the scanning 
footer being added twice, suggesting Avast is double scanning them.
Secure connections' emails only get the one footer added.
So all told, all incoming email seems to be scanned by Avast, albeit 
some of it twice.
> Your stunnel configuration file has 2 [popmail] service names, that 
> will be confusing. And why do you have a  [popmail] and [pop3_sky] 
> connecting to the same MTA?
>   
That is because I don't know what I'm doing :)
I originally built stunnel.conf without catering for Popfile, then I 
wanted to introduce Popfile into the equation, so I found the below 
advice page regarding Popfile and Stunnel :-
http://getpopfile.org/docs/howtos:stunnel
It appears I wrongly guessed how to interpret that advice on what to add 
to stunnel.conf
I have since had some clarification on this from a query I raised on 
this at the Popfile forums:-
http://getpopfile.org/discussion/1/188
> Did you enable debugging within stunnel?
>
>   Global options:
>
>     debug = debug
>     output = stunnel.log
>   
Yes, I did try that, and dabbled a little with the packet sniffers. 
However I didn't find it any easier to pinpoint what was actually going 
on regarding the prescence or otherwise of a secure connection.
ie I don't know what I'm looking at/for.
At the moment, my only method of 'testing' what is 'probably' going on, 
is to open or close parts of my local chain, and thereby build an 
apparent picture of what is happening. 
My original doubts of 'am I actually achieving a secure connection using 
Stunnel and my local chain' are not grounded in anything; I am/was just 
wanting to somehow avoid just assuming I had set everything up properly.

Lee