On Thu, 2011-02-10 15:08:11 -0600, Dave wrote:
[..]
So is verify 2 or 3 only necessary when there is an stunnel instance on each end? If I'm just connecting to stunnel from an offsite mail client, with stunnel running on the same machine as and solely to provide a secure connection to the pop3 service, is this all a moot point?
No, there is no need for stunnel on both sides. Let's call it 'SSL encryption engine' instead, which could be built-in into the mail client or be a separate process such as stunnel.
However, for verify level two or three, the client-side encryption engine needs to present a client certificate to the server. Some years ago, as I started to use stunnel, this was not the case for Outlook's encryption engine. (I don't know why one would like to authenticate the server, but not the client -- there is a German proverb saying 'nearly hit is missed too' ;-) ).
In order to test the server-side stunnel setup, I would propose to run a client-side stunnel first, possibly on the same machine as the server-side stunnel.
You may use "telnet localhost <port>" then to open a connection to the POP3 server (in clear-text or encrypted if <port> is 110 or the port the client-side stunnel listens on, respectively).
A POP3 server welcomes new clients with '+OK', and the clean way for a client to close a connection is to say 'quit'.
Ludolf