Thanks again, Guy, I appreciate your efforts there.

So I don't have to do anything regarding certificates or digital signatures, or anything along those lines? I just install OpenSSL and Stunnel, configure stunnel.conf, tweak Thunderbird's accounts settings and Avast's ports, and go with it?

Guy wrote:

So what you have to do to proxy the connections through Avast! I don't know, you'll need to show. Do you *really* need to scan your outbound connections?

This whole thing is more of a challenge / experiment than anything else. Certainly, scanning my SMTP connection(s) is far from important.

Off this specific Stunnel issue but related:- For the last day or so, I've gone back to my 'old' setup of TB + Popfile + Avast, and I've noticed that emails from my 'secure' POP connections are actually being scanned by Avast. They probably have been for some time and I didn't notice, but only recently have I turned on the 'adding of notes' in Avast's email scanner which adds an email footer along the lines of 'Avast found this message to be clean'.

I assume this scanning of 'secure' emails is a convenient byproduct somehow or other of routing the secure connections through Popfile. For reference, Popfile is listening on its default port of 110, and the Avast email scanner currently also only has port 110 in its POP redirected ports settings. Thunderbird has the host for those accounts as 127.0.0.1, also on port 110, and the username is in the form of: pop_server:username:ssl which Popfile requires. The :ssl is required by Popfile to handle secure connections.

I do notice that non-secure connections' emails end up with the scanning footer being added twice, suggesting Avast is double scanning them. Secure connections' emails only get the one footer added. So all told, all incoming email seems to be scanned by Avast, albeit some of it twice.

Your stunnel configuration file has 2 [popmail] service names, that will be confusing. And why do you have a [popmail] and [pop3_sky] connecting to the same MTA?

That is because I don't know what I'm doing :) I originally built stunnel.conf without catering for Popfile, then I wanted to introduce Popfile into the equation, so I found the below advice page regarding Popfile and Stunnel :- http://getpopfile.org/docs/howtos:stunnel It appears I wrongly guessed how to interpret that advice on what to add to stunnel.conf I have since had some clarification on this from a query I raised on this at the Popfile forums:- http://getpopfile.org/discussion/1/188

Did you enable debugging within stunnel?

Global options:

debug = debug
output = stunnel.log

Yes, I did try that, and dabbled a little with the packet sniffers. However I didn't find it any easier to pinpoint what was actually going on regarding the prescence or otherwise of a secure connection. ie I don't know what I'm looking at/for. At the moment, my only method of 'testing' what is 'probably' going on, is to open or close parts of my local chain, and thereby build an apparent picture of what is happening. My original doubts of 'am I actually achieving a secure connection using Stunnel and my local chain' are not grounded in anything; I am/was just wanting to somehow avoid just assuming I had set everything up properly.

Lee