Not sure if ranting will get you the kind of answer that you look for but it was certainly entertaining for me.
Anyway... I agree, some times things can be a little frustraiting but I guess that depends on how much time on how much work you want to put into it. Sorry to hear you feel stupid. Everyone has to start from 0 at shome point and it takes time to get a good handle to how things work. The question is... do you really want to know how things work or just want them to work without having to do much?
A google search of "SSL Explained" http://wildbill.nulldevice.net/presentations/sslpreso/ I liked slide 11/35 nice little diagram of SSL handshake wich helps to visualize in very general terms how an SSL connection works. The rest of the slides are good too check them out!
In your particular case that forced you to change from plain-text to SSL connections to your mail server. You had a couple of options.
- First and most obvious is to use SSL support build into your mail client (Thunderbird, Outlook,etc) most if not all modern mail clients support SSL natively. No need for stunnel there.
- If your mail client does not support SSL then stunnel is the way to go. But your issue is on how stunnel is being used. As client.
When you are a client... you always want to verify your server. You want to make sure you are connected to the right server. You want to use verify=2 in stunnel.conf
How do we verify that the server I just connected is in fact the right server? That is the Certificate Authority's job. We ultimately have to trust the CA they issued the certificate for the server owner. They signed the certificate with their key. and we use the CA's certificate to verify that signature. Here is the catch... operating systems, and some programs are shipped with a prebuild collection of CA certificates. Unfortunatelly stunnel does not.
However, most CAs let you download their certificates for your own use. In your particular case, looks like the server you are connecting to uses a certificate issued by Equifax Secure Certificate Authority Here they have the download page for the CA Certificates. http://www.geotrust.com/resources/root-certificates/
You pointed out that they refuse connections if the client presents a certificate. Yes, that is somehow a common practice. Mutual authentication (both server and client send certificates to each other and verify them) is impractical in some cases.
Thanks ----------------- Leandro Avila