Stunnel.org

Forwarding an insecure port securely from one machine to another

Lets say you want to use POP from your local machine to a remote machine, but don't have an SSL aware email client. What you can do is to have your machine talk to stunnel on the local machine, who then encrypts the packets and sends them another stunnel running on the remote machine, which forwards them in clear text to the POP server on that machine.

You must have some port on the remote machine that listens for the encrypted connection. You can either pick some arbitrary high port (for cases where you're not running as root this may be the only option, for example) or if the protocol has a port reserved for an ssl variant, you could use it. So, we could pick the port 50493 out of the air if we didn't want to use the actual registered port for pop3s -- 995. The example below uses pop3s, but you could use your own port instead as long as you are consistant.

So what we need is the following:

foo: The local machine.
Stunnel listens on foo:pop3, forwards to bar:pop3s.
bar: The remote mail machine.
Stunnel listens on bar:pop3s, forwards to bar:pop3.

So, we need to run the following on foo:

	stunnel -c -d pop3 -r bar:pop3s

and on bar:

	stunnel -p /path/to/stunnel.pem -d pop3s -r bar:pop3

Then configure your email client to think that your local machine, foo, is actually your mail server. The traffic will be sent from one end to the other encrypted, even though neither your email client nor your pop server need speek SSL.

This works for anything, not just POP. If you have flexibility in your ports, there's no reason that you'd have listen on your local machine on the same port to which the packets end up on the remote machine.

For those familiar with the program ssh, this is similar to running

	ssh -L pop3:bar:pop3 bar

except that, since stunnel is running as it's own daemon, you can use this port forward without first establishing the ssh connection.