# getmail and stunnel help

## HomerSimpson

I am using getmail to get my mail but do not like that my username and password are passed through the internet as plain text. Unfortunately I have been doing this with Outlook for many years. Since I have gotten Gentoo up and running I have been reading and learning. Scary!!!

How do I get getmail to use stunnel to create a secure link to my isp's pop3 server?

I executed:

```
 stunnel -c -d pop-3 -r <my_isp>:pop3s
```

Should I see something running when I run ps -ef? I don't.

BTW I am running a pop3 server locally so that my other comp can read the mail downloaded by getmail. If I setup stunnel to redirect my pop3 port for getmail will I also affect the connection coming from my other comp as well?

Any help in the comfiguration of stunnel is greatly appreciated.

Thanks

----------

## fifo

Well I don't know anything about stunnel, but could the problem be that the local pop3 port is already being used by your own pop3 server? Try doing, for example,

```

stunnel -c -d 12345 -r <my_isp>:pop3s

```

instead, and see if you can get mail from localhost:12345. You can check if the port is being listened on by running

```

netstat -a

```

----------

## HomerSimpson

Yeah that is probably it but unfortunately I still can't get get an ssl connection to my isp. It doesn't appear that earthlink supports ssl. 

I am fairly new to all this stuff but it is somewhat suprising to me that all isps don't support a secure link for email.

Thanks for your help.

----------

## rtn

Yeah, your ISP has to support POP over SSL (pop3s) in order for you to be

able to stunnel your pop connection, else you have nothing on the remote end

to connect to.

It seems that IMAP over SSL (imaps) has been more popular and better supported,

but take that for what it's worth...

--rtn

----------

## bludger

My mail server (web.de) does support ssl, but I still can't get it working.  When I start stunnel as a normal user, it does not start, returning no error messages.  

When I start it as root, it does start, but when I attempt to connect using getmail, getmail returns 

getmail started for username@127.0.0.1:110

  POP3 protocol error (-ERR EOF)

and stunnel stops with no messages.

Do I have to setup some certificate stuff or something?

----------

## bludger

 *bludger wrote:*   

> My mail server (web.de) does support ssl, but I still can't get it working.  When I start stunnel as a normal user, it does not start, returning no error messages.  
> 
> When I start it as root, it does start, but when I attempt to connect using getmail, getmail returns 
> 
> getmail started for username@127.0.0.1:110
> ...

 

As usual, I found a couple of answers to my own questions shortly after posting.  

Firstly, stunnel starts in background mode, unless you use the -f switch.  To see output from stunnel, use the -f switch.  

I then saw that the reason it would not start as a non-root user was that it was trying to write to /var/run/xxx.pid.  To remove this, I just started it with "-p none".  

So when starting it with the following flags, it starts correctly.

/usr/sbin/stunnel -c -d 9110 -r pop3.web.de:pop3s -f -P none -D 7 

The output looks as follows:

2003.05.06 14:40:45 LOG5[6961:16384]: Using 'pop3.web.de.pop3s' as tcpwrapper service name

2003.05.06 14:40:45 LOG7[6961:16384]: RAND_status claims sufficient entropy for the PRNG

2003.05.06 14:40:45 LOG6[6961:16384]: PRNG seeded successfully

2003.05.06 14:40:45 LOG5[6961:16384]: stunnel 3.22 on i686-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6i Feb 19 2003

2003.05.06 14:40:45 LOG7[6961:16384]: No pid file being created

2003.05.06 14:40:45 LOG5[6961:16384]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed

2003.05.06 14:40:45 LOG7[6961:16384]: SO_REUSEADDR option set on accept socket

2003.05.06 14:40:45 LOG7[6961:16384]: pop3.web.de.pop3s bound to 0.0.0.0:9110

Then when I tried to access my mail server with getmail (aimed at localhost:9110), I got the following messages:

2003.05.06 14:42:36 LOG7[6961:16384]: pop3.web.de.pop3s accepted FD=4 from 127.0.0.1:3410

2003.05.06 14:42:36 LOG7[20511:16386]: pop3.web.de.pop3s started

2003.05.06 14:42:36 LOG5[20511:16386]: pop3.web.de.pop3s connected from 127.0.0.1:3410

2003.05.06 14:42:36 LOG7[20511:16386]: pop3.web.de.pop3s connecting 217.72.192.134:995

2003.05.06 14:42:36 LOG7[20511:16386]: Remote FD=7 initialized

2003.05.06 14:42:36 LOG3[20511:16386]: Unable to get access to the SSL private key.

2003.05.06 14:42:36 LOG3[20511:16386]: SSL_get_privatekey: Peer suddenly disconnected

Now why is it trying to access a private key?  I understood that this is not necessary in client mode.

This can be easily reproduced by entering the above stunnel command on one terminal and then entering "telnet localhost 9110" on another.

----------

## bludger

I created a dummy certificate with the following command:

openssl req -new -x509 -days 365  -nodes -config /etc/ssl/openssl.cnnss.cnf -out stunnel.pem -keyout stunnel.pem

This seemed to work, although I am not sure why this is needed for stunnel running as a client.

----------

