How To Set Up Stunnel. This guide covers how to set up stunnel for endpoints that support only SSL. Since ObjectiveFS has built-in client side encryption and always encrypts your data at rest and in transit, you don’t need to use stunnel for most cases.
- The stunnel client configuration is very similar to the server configuration, to specify this stunnel instance is a client we will add client = yes to the configuration.
- The changelog on the stunnel website says support for P12 was added in 5.33 2016.06.23 and the manpage says to just put it in cert=; before that (and after) given P12 openssl pkcs12 converts to PEM which any openssl (and stunnel) back to the oughties can handle. – davethompson085 Jun 13 '17 at 13:57.
Many programs running on various servers will send an email to notify you of alerts or other interesting things happening with the program. Some of these programs send email without encryption. If you’re using Office 365 or almost any other major email provider, sending email without encryption isn’t an option. In those cases you will need to use a mail relay program to get the mail out.
A mail relay program will accept your program’s email, without encryption, then adds the appropriate data to encrypt the email so it can be sent to Office 365 for delivery to the intended recipient.
There have been many community posts and How-To articles written about this subject. I’ve read a lot of them. Most confused me even more. Several recommended setting up IIS on a server as part of their solution. But there is an easier way.
I recently had a need to relay mail, as described above. Here is how I solved this with a free program called Stunnel.
7 Steps total
Step 1: What I had in place
- Our domain uses Office 365 for email.
- One of our email accounts is [email protected]
- I have a pc to use for my mail relay program. You could use any pc on your network.
- I have a program on a server that needs to send email without encryption.
Step 2: On the pc that will run the relay program
Setting up encrypted tunnel using stunnel. To implement encrypted communication between Redis masters and slaves, we recommend using stunnel. Stunnel works as TLS encryption wrapper between client and server. This step-by-step tutorial will explain how to install and configure stunnel proxies on FreeBSD client and server. Stunnel is an open-source a proxy service that adds TLS encryption to clients and servers already existing on a VPN network. TLS encryption provided by Stunnel can be used as an additional layer of encryption for data sent by OpenVPN.
1. Download and install Stunnel from https://www.stunnel.org/downloads.html . I used the installer.exe version for my Windows relay pc.
2. Configure Stunnel to run as a service by running Start-> All Programs-> stunnel->Service Install.
3. Download a configuration file that is already setup for Office 365 from http://www.messageops.com/downloads/o365/stunnel.zip .
4. Open the stunnel.conf file and modify it just a little bit. The original file looks like this:
Superinvoice-inventory erp. # Stunnel configuration file for Office 365 SMTP and POP3
# Author: MessageOps, www.messageops.com
# GLOBAL OPTIONS
client = yes
output = stunnel-log.txt
# SERVICE-LEVEL OPTIONS
accept = 110
connect = pod51008.outlook.com:995
protocol = smtp
accept = 25
connect = pod51008.outlook.com:587
Step 3: Use Notepad to open the file and make these modifications
1. Change the log filename in the ‘output’ line to: output = C:stunnel.log
2. Remove the three lines in the POP3 section.
3. In the [SMTP Outgoing] section, change the ‘connect’ line to: connect = smtp.office365.com:587
4. (Your smtp settings can be found in your Outlook Web Access settings – Options – All Options – Account – My Account – Account Information – Settings for POP, IMAP, and SMTP access).
Step 4: The SMTP settings in OWA look like this
Step 5: Save the new Stunnel config file
Stunnel For Linux
Save this modified file in C:Program Files (x86)stunnelstunnel.conf. (Overwrite the existing file). The new file should look like this.
Step 6: Get Stunnel Ready to go
Start the service at Start-> All Programs-> stunnel->Stunnel Service Start.
Step 7: On the program that needs to send email without encryption
Since we’re only interested in sending mail, let’s ignore the POP3 or IMAP settings. Enter the settings for SMTP.
1. Outgoing mail server = IP or computer name of the pc running the relay program (Stunnel).
2. Port = 25.
3. Email address = must be a valid email in your Office 365 account. In my example, it is [email protected]
4. Password = password for the Office 365 [email protected] account.
5. No security or encryption. Password transmitted insecurely.
That’s it! You should be able to send mail to anyone now. Stunnel is a great tool. It just listens on port 25. When it hears something, it adds the appropriate data around your un-encrypted email and sends it on to the mail server and port you specified in the conf file. Right click Stunnel in the system tray and explore some of its options. With much thanks to http://www.messageops.com/smtp-relay-with-office-365 .
- Pimientojamesgoodwin Mar 26, 2015 at 03:05am
We just migrated to 365. The migration was successful but now I am tying up some loose ends. One of them is our on premise phone system. Before the migration I was able to enter the email account of the user with the extension and they would be emailed a wav file of the message. All that was entered was our email server name and port then set the,specific users email to that extension.
Now after the migration I can't seem to get it to work using the new parameters from 365. After some research I found this article but can't seem to get it to send email.
I have Stunnel up and working ( can tell by the log files) however my device does not have a spot for a password to be entered. I have my email address and the outgoing server as the IP address of the computer that has Stunnel.
Does anyone have any thoughts?
|Initial release||10 December 1998; 22 years ago|
|License||GNU General Public License|
Stunnel is an open-source multi-platform application used to provide a universal TLS/SSL tunneling service.
Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. It runs on a variety of operating systems, including most Unix-like operating systems and Windows. Stunnel relies on the OpenSSLlibrary to implement the underlying TLS or SSL protocol.
Stunnel uses public-key cryptography with X.509digital certificates to secure the SSL connection, and clients can optionally be authenticated via a certificate.
If linked against libwrap, it can be configured to act as a proxy–firewall service as well.
Stunnel is maintained by Michał Trojnara and released under the terms of the GNU General Public License (GPL) with OpenSSL exception.
For example, one could use stunnel to provide a secure SSL connection to an existing non-SSL-aware SMTP mail server. Assuming the SMTP server expects TCP connections on port 25, one would configure stunnel to map the SSL port 465 to non-SSL port 25. A mail client connects via SSL to port 465. Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts and decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client.
The stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network (so that an intruder could not make its own unsecured connection directly to port 25).
- ^Trojnara, Michał. 'Downloads'. Stunnel. Retrieved 25 February 2021.
- ^Trojnara, Michał. 'stunnel sources'. GitHub. Retrieved 12 May 2020.
- ^O'Donovan, Barry (October 2004). 'Secure Communication with Stunnel'. Linux Gazette, Issue 107.
- ^''stunnel: Ports''. Archived from the original on 1 April 2019. Retrieved 24 August 2020.
- ^'stunnel(8) manual'
- Official website