This page and all referenced code Copyright (c) 2002 Scott W. Gifford. <sgifford@suspectclass.com>
Unless otherwise noted, on this page or in the code itself, you are free to use the information and code presented here in any way you like.
This page describe a technique for using stunnel as a proxy which adds negotiated TLS support onto a server. stunnel only acts as a proxy, so it only needs to read the certificate, and communicate with the network connection and the program providing the actual protocol; because of this, stunnel can be run with an unprivileged UID in a chroot environment. stunnel also provides a plaintext fallback if TLS is not requested, so your server can support both TLS and unencrypted clients.
It currently supports SMTP, POP3, and IMAP.
It includes a patch (README) which adds support for IMAP, plaintext proxy, chroot, early setuid/setgid, and using an already-open file descriptor as the plaintext server; instructions for using this technique for SMTP with qmail-smtpd, POP3 with qmail-pop3d, and IMAP with Courier IMAP; and a small program called makesock for starting up stunnel and the server program, and connecting them together with a socket.