Stunnel supports encryption in the "old" ssl style extra port configuration (i.e. imaps on port 993) where the encryption is negotiated immediately upon start of the connection.
Does stunnel also support the startTLS method? i.e. a clear text connection is established (imap on port 143) and one of the first imap commands is startTLS, which negotiates the encryption and protects the connection from that time onwards. I know that supporting startTLS is a lot harder, since it means sniffing commands in the higher level protocol, but we need it nevertheless. (In fact, our imap server does support startTLS, but it does _not_ support importing an external certificate, which is why I'm looking for an external solution.)
From reading the documentation I'm not sure whether stunnel supports startTLS, there are a few option descriptions which might point to startTLS, but I'm not sure. Anybody knows the definite answer?
Greetings Markus Borst
Markus Borst wrote:
From reading the documentation I'm not sure whether stunnel supports startTLS, there are a few option descriptions which might point to startTLS, but I'm not sure. Anybody knows the definite answer?
Stunnel does support it. The option name is "protocol".
I have updated the manual to be more detailed: http://www.stunnel.org/static/stunnel.html
Mike
Am 27.04.2011 22:34, schrieb Michal Trojnara:
Markus Borst wrote:
From reading the documentation I'm not sure whether stunnel supports startTLS, there are a few option descriptions which might point to startTLS, but I'm not sure. Anybody knows the definite answer?
Stunnel does support it. The option name is "protocol".
I have updated the manual to be more detailed: http://www.stunnel.org/static/stunnel.html
Mike
Mike,
thanks for the documentation update, this makes it a lot clearer what the "protocol" option actually does. Could you provide a configuration example? For example, if I have configured my local imap server to listen on port 8143 (instead of 143), would this be a valid stunnel configuration?
[imap] accept = 143 connect = 8143 protocol = imap
Can I enforce starttls? i.e. if the client tries to authenticate to imap without first issuing starttls, it should be denied and/or the connection should be terminated.
Greetings Markus Borst
Markus Borst wrote:
Could you provide a configuration example? For example, if I have configured my local imap server to listen on port 8143 (instead of 143), would this be a valid stunnel configuration?
[imap] accept = 143 connect = 8143 protocol = imap
That's correct. It's pretty trivial, isn't it?
Can I enforce starttls? i.e. if the client tries to authenticate to imap
without first issuing starttls, it should be denied and/or the connection should be terminated.
What you just described is the only action supported by stunnel. 8-)
Mike
-
Markus Borst -
Michal Trojnara