Using Email with stunnel

From AAISP Support Site

For customers who's email clients do not support TLS and STARTTLS, it is possible to encapsulate the traffic within stunnel with the below configuration.

Configuration

This was taken from Windows. Configuration format may vary for Linux.

We start with the following piece of commented code. This makes for a good reference.

; AA (Andrews Arnold) stunnel configuration file for Win32 Sample Apr 2018
; This file sits in C:\Users\<user name>\AppData\Local\stunnel\config
; Use task manager to end task stunnel and re-launch stunnel to re-read this
;  config file.  If stunnel fails to launch (with an error message), most
;  likely this config file has an error.  A second launch of stunnel will
;  display the user interface which might show a helpful error message.
;
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; Debugging stuff (may be useful for troubleshooting)
;debug = info
;output = stunnel.log

; Enable FIPS 140-2 mode if needed for compliance
;fips = yes

; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi

; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:softhsm2.dll
;engineCtrl = PIN:1234

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************

;include = conf.d

; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************

; ***************************************** Example TLS client mode services


;  The loop back IP address range offers ~16 million addresses.
;  Put the 127.x.y.z address in the server (pop/imap/smtp) fields of your email
;   client (MTA) and map here with the same IP addresses.
;  Make sure your email client is not using encryption or non-standard ports
;   as stunnel provides the encryption.
;  Adjust the server URL and port numbers of the remote server as per the
;   other ISP's instructions.
;  The 'protocol = smtp' in the [aa-smtp] block causes stunnel to use STARTTLS.

To use POP3:

[aa-pop3]
client = yes
accept = 127.0.0.1:110
connect = mail.aa.net.uk:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.aa.net.uk
OCSPaia = yes

To use IMAP:

[aa-imap]
client = yes
accept = 127.0.0.1:143
connect = mail.aa.net.uk:993
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.aa.net.uk
OCSPaia = yes

You will need to following snippet to use our SMTP server.

[aa-smtp]
client = yes
protocol = smtp
accept = 127.0.0.1:25
connect = smtp.aa.net.uk:587
verifyChain = yes
CAfile = ca-certs.pem
checkHost = smtp.aa.net.uk
OCSPaia = yes