Stunnel Introduction This document will explain the procedures for installing and configuring Stunnel, a third-party SSL tunneling client to be used if your SMTP server requires SSL. Stunnel is required for WIN-911 V7 as it does not natively. Stunnel relies on the OpenSSL library to implement the underlying TLS or SSL protocol. Stunnel uses public-key cryptography with X.509 digital certificates to secure the SSL connection, and clients can optionally be authenticated via a certificate. If linked against libwrap, it can be configured to act as a proxy–firewall service as well. Installing stunnel on the self-check machine, when allowed by the vendor, also has the benefit of having less network traffic since the self-check machine will be configured to communicate with localhost (127.0.0.1). Go-tunnel - Robust Quic/TLS Tunnel (Stunnel replacement) What is it? A supercharged Stunnel replacement written in golang. Is in a sense a proxy enabling addition of network-encryption to existing clients without any source code changes. TLS 1.3 for client and server mode (TLS Connect or TLS Listen).

Many programs running on various servers will send an email to notify you of alerts or other interesting things happening with the program. Some of these programs send email without encryption. If you’re using Office 365 or almost any other major email provider, sending email without encryption isn’t an option. In those cases you will need to use a mail relay program to get the mail out.

A mail relay program will accept your program’s email, without encryption, then adds the appropriate data to encrypt the email so it can be sent to Office 365 for delivery to the intended recipient.

There have been many community posts and How-To articles written about this subject. I’ve read a lot of them. Most confused me even more. Several recommended setting up IIS on a server as part of their solution. But there is an easier way.

I recently had a need to relay mail, as described above. Here is how I solved this with a free program called Stunnel.

7 Steps total

Step 1: What I had in place

- Our domain uses Office 365 for email.
- One of our email accounts is it@domain.com.
- I have a pc to use for my mail relay program. You could use any pc on your network.
- I have a program on a server that needs to send email without encryption.

Step 2: On the pc that will run the relay program

1. Download and install Stunnel from https://www.stunnel.org/downloads.html . I used the installer.exe version for my Windows relay pc.
2. Configure Stunnel to run as a service by running Start-> All Programs-> stunnel->Service Install.
3. Download a configuration file that is already setup for Office 365 from http://www.messageops.com/downloads/o365/stunnel.zip .
4. Open the stunnel.conf file and modify it just a little bit. The original file looks like this:

# Stunnel configuration file for Office 365 SMTP and POP3
# Author: MessageOps, www.messageops.com

# GLOBAL OPTIONS
client = yes
output = stunnel-log.txt
debug=4
taskbar=yes

# SERVICE-LEVEL OPTIONS

[POP3 Incoming]
accept = 110
connect = pod51008.outlook.com:995

[SMTP Outgoing]
protocol = smtp
accept = 25
connect = pod51008.outlook.com:587

Step 3: Use Notepad to open the file and make these modifications

1. Change the log filename in the ‘output’ line to: output = C:stunnel.log
2. Remove the three lines in the POP3 section.
3. In the [SMTP Outgoing] section, change the ‘connect’ line to: connect = smtp.office365.com:587
4. (Your smtp settings can be found in your Outlook Web Access settings – Options – All Options – Account – My Account – Account Information – Settings for POP, IMAP, and SMTP access).

Step 4: The SMTP settings in OWA look like this

Step 5: Save the new Stunnel config file

Save this modified file in C:Program Files (x86)stunnelstunnel.conf. (Overwrite the existing file). The new file should look like this.

Stunnel Download

Step 6: Get Stunnel Ready to go

Start the service at Start-> All Programs-> stunnel->Stunnel Service Start.

Step 7: On the program that needs to send email without encryption

Since we’re only interested in sending mail, let’s ignore the POP3 or IMAP settings. Enter the settings for SMTP.
1. Outgoing mail server = IP or computer name of the pc running the relay program (Stunnel).
2. Port = 25.
3. Email address = must be a valid email in your Office 365 account. In my example, it is it@domain.com.
4. Password = password for the Office 365 it@domain.com account.
5. No security or encryption. Password transmitted insecurely.

That’s it! You should be able to send mail to anyone now. Stunnel is a great tool. It just listens on port 25. When it hears something, it adds the appropriate data around your un-encrypted email and sends it on to the mail server and port you specified in the conf file. Right click Stunnel in the system tray and explore some of its options. With much thanks to http://www.messageops.com/smtp-relay-with-office-365 .

1 Comment

• Pimiento
  jamesgoodwin Mar 26, 2015 at 03:05am

  We just migrated to 365. The migration was successful but now I am tying up some loose ends. One of them is our on premise phone system. Before the migration I was able to enter the email account of the user with the extension and they would be emailed a wav file of the message. All that was entered was our email server name and port then set the,specific users email to that extension.

  Now after the migration I can't seem to get it to work using the new parameters from 365. After some research I found this article but can't seem to get it to send email.

  I have Stunnel up and working ( can tell by the log files) however my device does not have a spot for a password to be entered. I have my email address and the outgoing server as the IP address of the computer that has Stunnel.
  Does anyone have any thoughts?

  Thank you

Stunnel is an open-source multi-platform application used to provide a universal TLS/SSL tunneling service.

Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively.^[3] It runs on a variety of operating systems,^[4] including most Unix-like operating systems and Windows. Stunnel relies on the OpenSSLlibrary to implement the underlying TLS or SSL protocol.

Stunnel uses public-key cryptography with X.509digital certificates to secure the SSL connection, and clients can optionally be authenticated via a certificate.^[5]

Stunnel

If linked against libwrap, it can be configured to act as a proxy–firewall service as well.

Stunnel is maintained by Michał Trojnara and released under the terms of the GNU General Public License (GPL) with OpenSSL exception.

Stunnel Tls 1.2

Example scenario[edit]

For example, one could use stunnel to provide a secure SSL connection to an existing non-SSL-aware SMTP mail server. Assuming the SMTP server expects TCP connections on port 25, one would configure stunnel to map the SSL port 465 to non-SSL port 25. A mail client connects via SSL to port 465. Network traffic from the client initially passes over SSL to the stunnel application, which transparently encrypts and decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client.^{[citation needed]}

The stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network (so that an intruder could not make its own unsecured connection directly to port 25).

References[edit]

1. ^Trojnara, Michał. 'Downloads'. Stunnel. Retrieved 25 February 2021.
2. ^Trojnara, Michał. 'stunnel sources'. GitHub. Retrieved 12 May 2020.
3. ^O'Donovan, Barry (October 2004). 'Secure Communication with Stunnel'. Linux Gazette, Issue 107.
4. ^''stunnel: Ports''. Archived from the original on 1 April 2019. Retrieved 24 August 2020.
5. ^'stunnel(8) manual'

External links[edit]

• Official website

Stunnel Example