[stunnel-users] Confusion regarding part of stunnel.conf
Ludolf Holzheid
lholzheid at bihl-wiedemann.de
Fri Feb 11 09:37:01 CET 2011
On Thu, 2011-02-10 15:08:11 -0600, Dave wrote:
>
> [..]
>
> So is verify 2 or 3 only necessary when there is an stunnel instance
> on each end? If I'm just connecting to stunnel from an offsite mail
> client, with stunnel running on the same machine as and solely to
> provide a secure connection to the pop3 service, is this all a moot
> point?
No, there is no need for stunnel on both sides. Let's call it 'SSL
encryption engine' instead, which could be built-in into the mail
client or be a separate process such as stunnel.
However, for verify level two or three, the client-side encryption
engine needs to present a client certificate to the server. Some years
ago, as I started to use stunnel, this was not the case for Outlook's
encryption engine. (I don't know why one would like to authenticate
the server, but not the client -- there is a German proverb saying
'nearly hit is missed too' ;-) ).
In order to test the server-side stunnel setup, I would propose to run
a client-side stunnel first, possibly on the same machine as the
server-side stunnel.
You may use "telnet localhost <port>" then to open a connection to the
POP3 server (in clear-text or encrypted if <port> is 110 or the port
the client-side stunnel listens on, respectively).
A POP3 server welcomes new clients with '+OK', and the clean way for a
client to close a connection is to say 'quit'.
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------
More information about the stunnel-users
mailing list