[stunnel-users] Confusion regarding part of stunnel.conf

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Fri Feb 11 09:37:01 CET 2011

On Thu, 2011-02-10 15:08:11 -0600, Dave wrote:
> [..]
> So is verify 2 or 3 only necessary when there is an stunnel instance
> on each end?  If I'm just connecting to stunnel from an offsite mail
> client, with stunnel running on the same machine as and solely to
> provide a secure connection to the pop3 service, is this all a moot
> point?

No, there is no need for stunnel on both sides. Let's call it 'SSL
encryption engine' instead, which could be built-in into the mail
client or be a separate process such as stunnel.

However, for verify level two or three, the client-side encryption
engine needs to present a client certificate to the server. Some years
ago, as I started to use stunnel, this was not the case for Outlook's
encryption engine. (I don't know why one would like to authenticate
the server, but not the client -- there is a German proverb saying
'nearly hit is missed too' ;-) ).

In order to test the server-side stunnel setup, I would propose to run
a client-side stunnel first, possibly on the same machine as the
server-side stunnel.

You may use "telnet localhost <port>" then to open a connection to the
POP3 server (in clear-text or encrypted if <port> is 110 or the port
the client-side stunnel listens on, respectively).

A POP3 server welcomes new clients with '+OK', and the clean way for a
client to close a connection is to say 'quit'.



Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list