If a connection with the peer is made, the two instances of stunnel (one at either end of the tunnel) present their certificates to each other. With verify level two, each instance checks.......
Wait, so in my case, there is not an instance of stunnel on each end. It is like this:
<offsite-connecting-client> connects to ---> mainserver:995 (port 995 created by stunnel in server mode on mainserver) forwards to ---> mainserver:110 (standard pop3 running on same machine as stunnel server)
So is verify 2 or 3 only necessary when there is an stunnel instance on each end? If I'm just connecting to stunnel from an offsite mail client, with stunnel running on the same machine as and solely to provide a secure connection to the pop3 service, is this all a moot point?
Dave