[stunnel-users] Pop3, CAPA before STLS (allow stunnel to work with android devices using proto pop3 option).

Anthony Morgan tony at post.fm
Wed Nov 30 16:13:41 CET 2011


I'm running a pop3 server on a non-standard port and having stunnel listen on both 110 and 995 like so:

accept  = 995
connect = ...

accept  = 110
connect = ...
protocol = pop3

When connecting from an android device (2.3 on Nexus S at least), it confirms the server supports STLS using CAPA (and seemingly will not configure otherwise), so I modified protocol.c to announce support:

<         fdputline(c, c->local_wfd.fd, "+OK Stunnel capability list follows");
<         fdputline(c, c->local_wfd.fd, "STLS");
<         fdputline(c, c->local_wfd.fd, ".");
>         fdputline(c, c->local_wfd.fd, "-ERR Stunnel does not support capabilities");

It seems to me that there is no harm in this, because the RFC states that the client MUST recheck the servers capabilities with another CAPA command after starting TLS. It may be better to check the servers actual capabilities, add STLS to them and return that, but this does work. Any thoughts or comments?

Tony Morgan

Sent from Post.fm

More information about the stunnel-users mailing list