POPFile, STunnel, & SSL Mail
A couple of months ago a competitor in my industry’s network was hacked, and source code to one of their major projects was stolen. While I don’t know EXACTLY how this was done, it did cause ripples in my industry, with several other companies (mine included) making changes “in the name of security”. Some I don’t agree with, one of which was the banning of Outlook & Outlook Express as mail clients in our office.
Now up until this happened, I used Outlook Express and Pegasus Mail (depending on which of my 7 or 8 mail accounts I was using). I used to use Netscape Mail awhile back as my primary mail program (for Work & Home mail), with Pegasus handing things like mail for my Black Sabbath site mailing list, as Pegasus Mail has some of the best filters I’ve ever seen in a mail program. But Pegasus’ address book is ass, and is the weakest part of the program. I’ve always loved Outlook Express’ address book, that’s the primary reason I’ve used that in the past.
However, all that’s changed. Since I couldn’t use Outlook Express anymore at work due to company policies, I was forced to look for another solution. MY first thought was Netscape Mail, but I took a look at Mozilla, because Netscape Mail is the same thing as Mozilla, except it has some extra “AOL Bloat” in it. So I actually was using Mozilla for a bit, but found it to be too slow, so I looked at a few others, and then decided to go back to Pegasus Mail full time. I also used to sync my Palm address book with Outlook Express’ address book, so everything would be current. However, the draw of the speed and superior filtering capabilities was enough to draw me back in to using Pegasus Mail full time (I just wish the address book would get an overhaul). So, after converting my address book (with the Dawn) utility, I was up and running.
Shortly after that, I got told of another change to security which would require me to make more changes in my mail setup.
I was told that POP mail would now have to be encrypted. That wouldn’t itself be a problem, except that I also use a program called “POPFile” to filter my spam. Basically POPFile is a program that sits inbetween your mail client and your mail server. It tags emails as they’re being downloaded so your mail proram can filter them depending on what’s in them.
Mail Program <-> POPFile <-> Mail Server
The problem with that is that POPFile doesn’t know anything about using SSL – it’s incapable of it. Having SSL mail is a good idea for security’s sake, and I don’t argue against it, but since I wanted to continue using POPFile to filter my spam, I needed some other solution because POPFile can’t read the mail server which is now SSL encrypted. So, I looked around and ran across a program called STunnel. Basically, STunnel is a freeware SSL Wrapper program. What’s that mean? It means that I can still run POPFile to grab my mail. However, now the chain of programs looks like this.
Mail Program <-> POPFile <-> STunnel <-> SSL Mail Server
It seems like a bit of a pain in the ass to retrieve my mail this way, and I have to admit, it was a real bitch to set up, but it does work, and once it’s setup, it’s seamless. It’s not like I have to interact with POPFile & STunnel anyway – I basically run my mail client (Pegasus Mail in my case), and it gets the mail. Now I do interface with POPFile, because since I get a few thousand pieces of email a day (about 84% of which is spam), I need to make sure the program is kept relatively clean. POPFile will log all the inbound emails, and if unchecked, you’ll have a TON of them when you go to look at the log, so I clear that out a few times a day. Also, if there’s a piece of mail that is incorrectly flagged, I need to go into POPFile and tell it that, so it can learn from that mistake and filter things better in the future. But I don’t have to if I really don’t want to.
Setting up this combination was a pain as I said above. The biggest problem I ran across was that STunnel doesn’t have a lot of documentation with it. I tried, and couldn’t get it working right. Foruntately, one of my co-workers here had already gotten it running, so I took a look at his config file and could get it working. And that brings me to the main reason for writing this blog entry. How I got Pegasus Mail working with POPFile, STunnel, and an SSL Encrypted POP Mail Server.
1) STunnel Config File:
Basically working backwards, this is the config file I have working with STunnel (with locations for my real mail server changed – I’m not that foolish to post that info in my blog
— [ STunnel Config File – Cut Here] ——
[popmail] accept = 127.0.0.1:210
connect = mail.whatever.com:995
— [ STunnel Config File – Cut Here] ——
Port 210 is what I use locally to interface between my mail program and STunnel – Port 995 is a standard Port used for SSL encrypted mail servers. 127.0.0.1 is a universal IP for “local machine”.
2) POPFile Config:
As far as I can tell, I didn’t have to change anything with POPFile beyond the default setup. Now POPFile’s install instructions for your mail program will differ (see next step), but there’s nothing odd in the POPFile config area I have set.
3) Pegasus Mail Config:
This part was a bit tricky, as you have to put some really odd strings in your mail setup to get all this to work right.
First off, you DO NOT want to set any of the “Secure Mail” options in Pegasus Mail to on. As far as Pegasus Mail is concerned, it’s going through POPFile, and that is a non secure connection. Even though the connetion to our mail server is secure, Pegasus’s connection to POPFile is not – it’s when that connection hits STunnel that it becomes SSL encrypted.
As you can see here, you want to have your mail server name be 127.0.0.1 as it is in the default POPFile config. However, the trick comes with the username. What I have entered here is 127.0.0.1:210:joes joes is the login name for my mail server, and the :210 gets passed through POPFile to STunnel, which is where the 210 in the Stunnel config file comes into play. When STunnel sees that, it “converts” your connection to what we have set up, in this case the mail.whatever.com on Port 995, which is the SSL port. Also, in this screenshot, you see Port 110 – which is the standard POPmail port. IF we were going straight from Pegasus to the SSL server, that would be 995, but since Pegasus is going through POPFile then through STunnel, we do not want Pegasus Mail to do anything other than the standard port of 110.
The cool thing about entering your user name as 127.0.0.1:210:joes is that it does not force you to run all your mail through STunnel and the secure server of 995. I have other accounts in Pegasus Mail that do not come from an SSL server, and those are basically set up the standard POPfile way of setting up your mail account.
I hope this was helpful to someone, because I found it frustrating getting STunnel working with Pegasus Mail, PopFile, and an SSL Mail server. The key was having a working sTunnel.conf file.