Using Email with stunnel

We start with the following piece of commented code. This makes for a good reference.

; AA (Andrews Arnold) stunnel configuration file for Win32 Sample Apr 2018
; This file sits in C:\Users\<user name>\AppData\Local\stunnel\config
; Use task manager to end task stunnel and re-launch stunnel to re-read this
;  config file.  If stunnel fails to launch (with an error message), most
;  likely this config file has an error.  A second launch of stunnel will
;  display the user interface which might show a helpful error message.
;
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; Debugging stuff (may be useful for troubleshooting)
;debug = info
;output = stunnel.log

; Enable FIPS 140-2 mode if needed for compliance
;fips = yes

; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi

; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:softhsm2.dll
;engineCtrl = PIN:1234

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************

;include = conf.d

; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************

; ***************************************** Example TLS client mode services


;  The loop back IP address range offers ~16 million addresses.
;  Put the 127.x.y.z address in the server (pop/imap/smtp) fields of your email
;   client (MTA) and map here with the same IP addresses.
;  Make sure your email client is not using encryption or non-standard ports
;   as stunnel provides the encryption.
;  Adjust the server URL and port numbers of the remote server as per the
;   other ISP's instructions.
;  The 'protocol = smtp' in the [aa-smtp] block causes stunnel to use STARTTLS.

To use POP3:

[aa-pop3]
client = yes
accept = 127.0.0.1:110
connect = mail.aa.net.uk:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.aa.net.uk
OCSPaia = yes

To use IMAP:

[aa-imap]
client = yes
accept = 127.0.0.1:143
connect = mail.aa.net.uk:993
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.aa.net.uk
OCSPaia = yes

You will need to following snippet to use our SMTP server.

[aa-smtp]
client = yes
protocol = smtp
accept = 127.0.0.1:25
connect = smtp.aa.net.uk:587
verifyChain = yes
CAfile = ca-certs.pem
checkHost = smtp.aa.net.uk
OCSPaia = yes