Xmail And Ssl, Configure with Stunnel

Hi!

Is there someone who has configured xmail with stunnel ? I would like to do it but I don't understand the docs how to do this. Can anyone tell me how to do this - step by step ?

Prepare the SSL-Certificate:
Download and unzip openssl
Create a certificate:
bin\openssl.exe req -new -x509 -nodes -out stunnel.pem -keyout stunnel.pem -days 365 -config openssl.cnf
Adapt the number of days until the certificate expires to your needs.
When you are asked for (YOUR name), enter ip_or_name_of_xmail_server
Copy stunnel.pem to your stunnel folder

Prepare Stunnel:
Download and unzip stunnel to your stunnel folder
copy ssl/bin/*.dll from openssl to your stunnel folder
Create a file named stunnel.conf with the following content:
--<cut here>--
client = no
debug = 7
options = DONT_INSERT_EMPTY_FRAGMENTS

[POP3]
accept = 995
connect = 127.0.0.1:110
delay = no

[SMTP]
accept = 8025
connect = your_xmail_server_ip_or_name:25
delay = no
--<cut here>--
Start stunnel.exe

Prepare XMail:
Close the standard POP3 port for the rest of the world by binding it to 127.0.0.1.
Use parameter -PI for that (see Xmail manual).
Make sure that you allow 127.0.0.0 in your pop.ipmap.tab
Standard SMTP has to stay open, in order to talk to other SMTPs in the world.
But your LAN clients can use SSL-secured SMTP, if they want.
Restart XMail Service

Prepare the Client:
In Outlook check 'Use SSL...' with POP3 and optional with SMTP connections
Use port 995 for secure POP and 8025 for secure SMTP

Have fun!

Use
stunnel.exe -- install
if you want stunnel to run as a system service.

-- Please let me know if you managed it to run or if I've overseen something ... :-)

Just a remark...I am using Xmail under Linux !? Does this change things a lot ?
Do I need to install stunnel on the client side too or is it enough to enable ssl support in their email client ?

Certificate generation and setup should be the same.
Copying the .dlls will not be necessary.
If your client is Outlook only, then you don't need stunnel on client side. If you do other sorts of communication with secure SMTP or POP, you might need it.

So to start stunnel it is enough just ./stunnel, wright? Is it possible to still be able to use nonssl pop3 ?

... when you have created the certificates and the .conf file.
You can still use the standard services, if you do not bind them to 127.0.0.1 in XMail. The stunnel.conf then has to be

[POP3]
accept = 995
connect = your_xmail_server_ip_or_name:110
delay = no

for POP3.


Would be nice to see a Linux howto here, when things run on your machine .. :-)

OK, I got it working. So a Linux howto:

-get a source at www.stunnel.org and compile it and install:

CODE

$./configure $make $make install

When you run "make install" you will be prompted to create a certifikate which you should do.

-create a /usr/local/etc/stunnel/stunnel.conf file with the following:

CODE

cert = /usr/local/etc/stunnel/stunnel.pem pid = /tmp/stunnel.pid setuid = nobody setgid = nobody options = DONT_INSERT_EMPTY_FRAGMENTS debug = 7 output = stunnel.log client = no [POP3] accept  = 995                         #standard pop3ssl port   connect = 127.0.0.1:110 delay = no [SMTP] accept  = 8025                        #port of your choise connect = 127.0.0.1:25 delay = no

-make Xmail to listen to 127.0.0.1:110 and 127.0.0.1:25 and restart xmail service

-setup your firewall (if you have one) to allow access to those ports you have specified in stunnel.conf

-run /usr/local/sbin/stunnel

-make changes in Outlook or Netscape or whatever to use SSL

-try to conect to your mailbox

If you have a problem check the /usr/local/etc/stunnel/stunnel.log file.

Have fun.

Thank U !
Looks much easier than on NT ... ;-)

For Linux Users:

You must make stunnel start before Xmail when booting or Xmail will not work properly after rebooting with stunnel starting first.

Thanks,
Pete

Speaking of which, what's a good way to get a nice solid stunnel PID running before you start XMail?

I have Xmail starting before stunnel and I don't have any problems with Xmail. I am running RH8.

Do you now if we can start 2 pop in same time ? 1 for SSL connection and 1 for normal ?

Bind the POP service to 127.0.0.1:110 and your_external_ip:110. The one with 127.* is used for tunneling, the other one id a normal POP.

QUOTE

-PI ip[:port]                 Bind server to the specified ip address and (optional) port                 (can be multiple).

Thanks for the contrib!

for mandrake 9.2 i found these differences:

create the certificate (path to openssl.cnf has to be specified as follows):