in Articles

Add proper SSL/TLS support for all applications using stunnel

I really like Evolution both for email and its calendaring features. The problem is that one of my email accounts requires an SSL client certificate to be able to connect. Thunderbird supports this out of the box, but Evolution does not. Instead of patching Evolution itself, it would be much easier to just proxy the requests. Here is where stunnel comes in.

Using stunnel, it is possible to setup an SSL connection and have Evolution run an unencrypted channel through it. Since this will open a tunnel directly to the mail-server, it is very important to only bind stunnel to localhost. Otherwise, anyone will be able to use your tunnel to connect to your server!

So in my scenario I want to use a client certificate in SSL. The following command does everything I need:

stunnel -d localhost:9930 -r mail.xx.yy:993 -c -p ~/mail.pem

It will setup a listening socket on port 9930 and connect it to mail.xx.yy port 993 and use mail.pem for the client certificate. Evolution can now be setup using localhost:9930 as the email server and not using SSL encryption, since it will be added by stunnel.

If you would want this for SMTP, which usually uses explicit SSL (you need to start it using STARTTLS), stunnel even has support for that. Just extend the previous command to this.

stunnel -d localhost:20025 -r smtp.xx.yy:25 -c -p ~/mail.pem -n smtp

Using -n smtp will tell stunnel to create the TLS connection before it lets Evolution proceed with its connection.