On Fri, 2011-02-11 13:23:32 -0600, Dave wrote:
Is this client certificate you mention one of the certs of the server being connected to (is it from "mainserver"? or the CA I created?)? Like, will I have to pass out this cert to any clients I know will be connecting, so that they all have it, before they can connect at level 2 or 3? Or is it just something built into the software a connecting person is using?
You should create one certificate for each client. In this way you will be able to revoke certificates for single clients.
It does not matter whether these are self-signed or signed by a CA as long as stunnel is able to check them against a white list (in case of self-singed ones) or a black list (in case of the certificates signed by a CA).
The clients have to configure their mail programs to use this certificate while connecting to your server.
I apologize for my ignorance and appreciate your patience, I just haven't had to worry about something like this in setting up any SSL-secured services before. For example, with https, as long as the web server is configured to serve that protocol, it "just works" and you don't have to worry about providing certs to everyone connecting to your web site. (Or perhaps I'm making a leap there, and you don't mean above that each client has to have a copy of some cert from the server.) I guess I'm trying to figure out the difference between that and this issue with stunnel.
The goal of SSL-securing an HTTP server is to encrypt the conversation (in order to hide e.g. bank details of the customer on the way to the server) and to provide a way to authenticate the server (i.e. the customer shall be given a possibility to ensure the server he connected to is run by the company he wants to order from).
Thus, HTTP servers usually don't verify client certificates. (The fact, HTTP users usually don't check the owner of the server certificate, is an other issue.)
If one would SSL-secure an HTTP server with stunnel, it would usually run with verify level one or zero (at least for web stores and sites like that).
In the other hand, if you want to run an SSL-secured POP3 server, it is essential to authenticate the client. As it is much easier to send forged e-mails than to set up a forged POP3 server, it is not that interesting to authenticate the server.
So if you SSL-secure a POP3 server with stunnel, it should run with verify level two or three to force the clients to authenticate themselves.
HTH,
Ludolf