I tried sending directly to you, I must have looked like a spammer. I am ever so slightly pleased to see that I have some company in my frustration with this software. I'll try to help, since the experts seem to be too busy. I've only used it twice, and it was painful both times.
Have you gotten it to work at all? That is, what do you see? Do you get a running stunnel process?
Do you have (with permissions)
ls -l /usr/local/etc/stunnel/mail.pem -rw------- 1 root staff 2233 Jan 5 17:25 /usr/local/etc/stunnel/ mail.pem
I created it by running this command in that directory:
sudo openssl req -new -out mail.pem -keyout mail.pem -nodes -x509 - days 365
I created a stupid certificate, because at some point it looked like it was asking me for my name (David Chase) when what they wanted was my fully qualified domain name (dr2chase.org), so that part of the certificate is wrong. The certificate creation in the makefile asked for this in a slightly more sensible way, using the abbreviation "FQDN", though you have to wonder how busy the authors of some of this security software are, that they cannot take the time to type in "Fully qualified domain name", and instead expect us to figure it out.
It can be whiny about permissions, in a non-specific way (as if the software ran a one-way-hash on the permissions, didn't get a match, and expected you to just guess till it worked.)
sudo chmod 600 /usr/local/etc/stunnel/mail.pem sudo chmod 755 /usr/local/etc/stunnel/ sudo chown root /usr/local/etc/stunnel/stunnel.conf
You'll need to copy the sample stunnel.conf file into the real one:
sudo cp /usr/local/etc/stunnel/stunnel.conf-sample /usr/local/etc/ stunnel/stunnel.conf
You might want to look it over, though I don't recall changing much in mine. You might want to turn on debug logging there; mine seemed to spew in the invoking terminal, instead of any file that I could find, but that was good enough for a start:
debug = 7 output = stunnel.log
Some part of stunnel created its chroot directory with incorrect (for MacOS, at least) permissions:
% ls -ld /usr/local/var/lib/stunnel/ 948 drwxrwx--T 2 root wheel 68 Jan 5 16:55 /usr/local/var/lib/ stunnel/
That's the one that didn't work, and clearly someone thought carefully about giving it the wrong permissions -- that "T" didn't get there accidentally. This caused silent failure for me.
What worked, but might not be secure, is
drwxrwxrwx 2 root wheel 68 Jan 6 00:16 /usr/local/var/lib/stunnel/
My guess is that it would be better if it were owned by nobody/nogroup, but this is clearly something that trained experts should GET RIGHT, instead of leaving it busted for novices to tinker with.
What mail reader are you using? For example, Apple Mail's "connection doctor" will treat an unofficial certificate as a connection failure; only when you actually try to receive or send mail, will you get a chance to trust the certificate.
Perhaps my sarcastic remarks will cause someone to actually fix something. Who knows.
yours,
David Chase