Help → Stunnel clarification

Stunnel clarification

Hello,

I've been fiddling around with Stunnel, have read various things on the net, and I've seen the page below with details on using Stunnel with Popfile.

http://getpopfile.org/docs/howtos:stunnel

My set up is simply a desktop Windows XP pc, where my motive for using Stunnel is to get Avast Anti-Virus to scan all emails; i.e, some mail servers demand a secure connection meaning Avast usually cannot scan those emails. (I do appreciate however, that those servers usually have some form of anti-virus scanning in place anyway.)
I am using Mozilla Thunderbird with Popfile in circuit on POP connections.

Can I please check in stunnel.conf;
what does the
service=popmail
do?

Also, how do we add further 'popmail' entries into stunnel.conf for more servers?

In general, I haven't yet become clear on the syntax of stunnel.conf, including whether the words in [ ] can be anything we choose, or they have actual functional significance.
Below is my current attempt at stunnel.conf, which I first built before introducing Popfile into the equation. All appears to be working, but I'd be grateful of any corrections or improvements.

Many thanks,
Lee
UK

client=yes
service=popmail

[popmail]
accept = 127.0.0.1:210
connect = pop.mail.yahoo.co.uk:995

[popmail]
accept = 127.0.0.1:310
connect = pop.tools.sky.com:995

[pop3_sky]
accept = 127.0.0.1:1109
connect = pop.tools.sky.com:995

[pop3_yahoo]
accept = 127.0.0.1:1108
connect = pop.mail.yahoo.co.uk:995

[smtp_sky]
accept=127.0.0.1:259
connect=smtp.tools.sky.com:465

[smtp_yahoo]
accept=127.0.0.1:258
connect=smtp.mail.yahoo.co.uk:465

[imap_sky]
accept=127.0.0.1:1439
connect=imap.tools.sky.com:993

  • Message #792

    Can I please check in stunnel.conf;
    what does the
    service=popmail
    do?

    There is no need to specify this in stunnel.conf because Stunnel will use a default name if none is specified. Here is what the Stunnel documentation says:

    service = servicename
    
    use specified string as the service name
    
    On Unix: inetd mode service name for TCP Wrapper library.
    
    On NT/2000/XP: NT service name in the Control Panel.
    
    default: stunnel
    

    Also, how do we add further 'popmail' entries into stunnel.conf for more servers?

    I am not sure what you mean here? You've already created entries for more than one server (Yahoo! and Sky)

    In general, I haven't yet become clear on the syntax of stunnel.conf, including whether the words in [ ] can be anything we choose, or they have actual functional significance.

    I thought the Stunnel installer installed some documentation which describes stunnel.conf in detail. Here is a copy from the author's site: http://stunnel.mirt.net/static/stunnel.html#configuration_file

    The text inside the square brackets is used to mark entries in Stunnel's log file to help you understand the log file. For example here is some data from a simple test I ran:

    stunnel.conf

    cert = ./stunnel.pem
    
    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    
    client = yes
    
    [995]
    accept = 123
    connect = pop3.myrealbox.com:995
    

    stunnel.log

    2009.05.24 19:59:11 LOG5[15738425:15738109]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008
    2009.05.24 19:59:11 LOG5[15738425:15738109]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv4
    2009.05.24 19:59:11 LOG5[15738425:15878101]: No limit detected for the number of clients
    2009.05.24 19:59:36 LOG5[15738425:15811361]: 995 accepted connection from 127.0.0.1:1477
    2009.05.24 19:59:38 LOG5[15738425:15811361]: 995 connected remote server from 192.168.1.80:1478
    2009.05.24 19:59:52 LOG5[15738425:15811361]: Connection closed: 0 bytes sent to SSL, 56 bytes sent to socket
    
    • Message #795

      Hello Brian, and thanks for replying.

      Lee: "Also, how do we add further 'popmail' entries into stunnel.conf for more servers?"
      Brian: "I am not sure what you mean here? You've already created entries for more than one server (Yahoo! and Sky)"

      It appears I wrongly guessed how to interpret the Popfile page on Stunnel. I thought I had to add extra lines, when in fact, all I need to do is change the syntax/ports on my existing POP entries, isn't it?

      Lee: "In general, I haven't yet become clear on the syntax of stunnel.conf, including whether the words in [ ] can be anything we choose, or they have actual functional significance."
      Brian: "I thought the Stunnel installer installed some documentation which describes stunnel.conf in detail. Here is a copy from the author's site: http://stunnel.mirt.net/static/stunnel.html#configuration_file
      The text inside the square brackets is used to mark entries in Stunnel's log file to help you understand the log file."

      I see; so the [ ] parts are simply non-functional names, which can be anything.

      I had read the Stunnel docs a little, but I often struggle with reading docs and help files then applying that into actual practice. It's partly as if I get a block or 'don't see the wood for the trees'. Generally I need to find an example or advice on specifically what I am wanting to do, before I can start to grasp a new concept.

      Lee

      • Message #796

        It appears I wrongly guessed how to interpret the Popfile page on Stunnel.

        That page is perhaps a little terse ... and it is also rather old (it is based upon information supplied by a user way back in May 2003 and does not seem to have been updated much since then). Another problem is that it does not really say anything about expanding things to support SSL connections to more than one mail server.

        I thought I had to add extra lines, when in fact, all I need to do is change the syntax/ports on my existing POP entries, isn't it?

        The short answer is "Yes" but you'll need to be careful. As you are going to end up with a rather complicated configuration I suggest you make a note of all the settings in case something goes wrong and you need to re-enter the settings!

        You will need a section in stunnel.conf for each SSL server you need to use. Each of these sections must use a different "accept" port. The stunnel.conf example you quoted has two entries using "pop.mail.yahoo.co.uk:995" and two entries using "pop.tools.sky.com:995" - is that a mistake?

        How are you intending to insert avast! antivirus into the POP3 proxy chain?

        Normal chain: Thunderbird -- internet -- mail server

        Add POPFile: Thunderbird -- POPFile -- internet -- mail server

        Add Stunnel: Thunderbird -- POPFile -- Stunnel -- internet -- mail server

        Where have you added avast! antivirus into this chain? According to the avast! antivirus Home Edition 4.8 User Guide it is possible to configure it for transparent e-mail scanning. Any emails that pass through the specified ports will be scanned for viruses. The default ports are the standard port numbers for the four basic e-mail protocols but you can specify a different port (or ports) via the Redirected Ports setting.

        Brian

        • Message #804

          Hello again Brian, and thanks.

          Brian:
          The stunnel.conf example you quoted has two entries using "pop.mail.yahoo.co.uk:995" and two entries using "pop.tools.sky.com:995" - is that a mistake?

          Me now:
          Yes, that was a result of me misunderstanding how to build the stunnel.conf including whether I had to re-enter entries for Popfile or just modify existing ones.
          I assume the port 210 in the Popfile Stunnel example page has been chosen just because it is one digit different from 110? And further servers in there would be using 211, etc?

          Brian:
          How are you intending to insert avast! antivirus into the POP3 proxy chain?

          Me now:
          Getting Avast to scan all emails (including those on secure connections) was the reason I started dabbling with Stunnel. I do appreciate however this is probably not needed seeing as I think the mail servers do anti-virus scanning anyway.

          I've since noticed however, having reverted for now to how I was with just Popfile and TB, that the Avast email scanner is/was already scanning all POP3 emails. This is with the Avast redirected ports left at the defaults including just 110 for POP3, and 'ignore local communication' unchecked. However, emails from non-secure connections end up getting scanned twice, whilst secure emails just once. Checking the 'ignore local communciation' option removes any scanning on one or both of those scenarios, I forget which at present.
          I assume this ability for Avast to scan emails on secure connections is a byproduct of routing through Popfile using the TB username syntax of server:username:ssl

          By the way, I don't use IMAP through Popfile, because as far as i can gather, it cannot add the headers of X-Text-Classification and X-Popfile-Link can it? I do like having those extra headers available (using the TB extension Mnenhy) and regularly use them on POP3'd emails.

          I may go back to using Stunnel, so I can attempt to do the scanning just once / 'properly'. :)

          By the way, I appreciate this isn't an Stunnel support forum (I've asked a few questions on theirs as well) but am I right in thinking that I cannot 'securify' connections to mail servers that do not offer SSL? eg, ukonline which I use only offers non-secured connections, so I cannot use Stunnel to help me there can I? That may seem a silly question .... but I'd like to check. :)
          (I'm not talking about using forwards to force email traffic through other isp's servers which do offer secure connections)

          Lee

          • Message #805

            I assume the port 210 in the Popfile Stunnel example page has been chosen just because ...

            That is probably the reason. Port numbers can go as high as 65535 so if you wanted you could assign a different block of numbers to each mail server. For example you could add 2000 to the standard ports for Yahoo! and add 3000 to those for Sky like this:

            2465 -> smtp.mail.yahoo.co.uk:465
            2995 -> pop.mail.yahoo.co.uk:995

            3465 -> smtp.tools.sky.com:465
            3993 -> imap.tools.sky.com:993
            3995 -> pop.tools.sky.com:995

            In the same way that port 110 is the default POP3 port, there are other "standard ports" allocated but I've not made any attempt to see if these 2xxx and 3xxx numbers conflict with any of them; I just wanted to give some examples.

            However, emails from non-secure connections end up getting scanned twice

            That is probably because you left POPFile's POP3 listening port at the default setting (110). If you change this to port 123, say, then your insecure mail should only be scanned once. By default POPFile uses port 110 to communicate with POP3 mail servers so the chain for non-SSL POP3 traffic would be like this:

            Thunderbird -- port 123 -- POPFile -- port 110 -- Avast scanner -- internet -- POP3 mail server

            If you change POPFile's POP3 listening port (on the UI's CONFIGURATION page) then you will also need to change the account settings in Thunderbird to use the new port for all accounts configured to use POPFile.

            Our wiki has some information about Proxy Chaining and even some old information about Avast 4.5

            I don't use IMAP through Popfile, because as far as i can gather, it cannot add the headers of X-Text-Classification and X-Popfile-Link can it?

            POPFile's IMAP module works differently from the normal POP3 mode. When you use POPFile's IMAP mode you do not make any changes to Thunderbird. In IMAP mode POPFile moves messages around on the remote IMAP server and Thunderbird will see the results when it accesses the IMAP server.

            POP3 mode:
            Thunderbird -- POPFile -- internet -- POP3 mail server

            IMAP mode:
            Thunderbird -- internet -- IMAP mail server
            POPFile -- internet -- IMAP mail server

            am I right in thinking that I cannot 'securify' connections to mail servers that do not offer SSL? eg, ukonline which I use only offers non-secured connections, so I cannot use Stunnel to help me there can I?

            This is correct. If you want to use a secure connection then BOTH ends must support secure connections. If ukonline do not support SSL connections then when Stunnel tries to connect it will fail because the ukonline end will not make the correct response to Stunnel's attempt to communicate with it.

            Brian

            • Message #806

              Thanks again, Brian, all very helpful.

              :)

              Lee