In the process of making stunnel work exactly how I want it to with
qmail, I came up with 3 patches.  You can get information about what
I'm working on at:

    http://www.suspectclass.com/~sgifford/qmail-smtp-tls-proxy/smtp-tls.README

Some of these patches require the "-F 5 -l" flags to patch.

****************
*** paranoia ***
****************
  (stunnel3.22-paranoia0.1.patch)

This patch allows stunnel to run more securely in some situations, by
accepting a flag which causes stunnel to chroot immediately after
starting, and another flag which causes stunnel to do the
setuid/setgid calls immediately, instead of waiting until after the
sockets are open.

The flags added are:

  -/ chroot-dir: chroot(chroot-dir) as soon as starting up.

                 Note that any files or directories you require, such
                 as the PID directory, must be created within the new
                 root.

                 Additionally, you must create a fake path within your
                 chroot directory to contain the openssl configuration
                 file.

  -i: setuid()/setgid() immediately, instead of waiting until after
   listening on the socket.

Additionally, this patch makes the UID and GID given to the -s and -g
option be used directly as UIDs instead of being looked up in
/etc/passwd or /etc/group if they consist entirely of numbers.
              

**************
*** openfd ***
**************
  (stunnel3.22-openfd0.1.patch,
   stunnel3.22+paranoia0.1-openfd0.1.patch)

This patch allows stunnel to do secure forwarding to a file
descriptor, instead of to a local program or a remote program.  It
only makes sense to use this in conjunction with the -f flag, under
something like inetd or tcpserver.  It is your responsibility to have
the file descriptor opened when stunnel is run.

The flag added is:

  -F fd: Do secure forwarding to file descriptor fd.  This descriptor
         must be a socket, since two-way communications are required.

Use the "stunnel3.22+paranoia0.1-openfd0.1.patch" to use this in

conjunction with the stunnel-paranoia patch.


******************
*** bettersmtp ***
******************
  (stunnel3.22-bettersmtp0.1.patch)

This patch improves SMTP support when "-n smtp" is used.

It fixes a bug where the greeting could have a stray \r in it.

Instead of always giving an EHLO list that just consists of STARTTLS,
it now reads the EHLO list from the real server, then adds STARTTLS to
it.

Instead of refusing to communicate if STARTTLS isn't given, it causes
stunnel to fall back on unencrypted communication, using a new
function called plaintext_proxy.  This allows you to use stunnel
connected to your real SMTP server as your primary SMTP server,
supporting both encrypted and unencrypted connections.