Secure POP3 with stunnel

Back to the introduction


Now that postfix is up & running, and that xinet is serving a POP3 daemon on port 110, we will oppen a SSL port (995) for remote checking emails, outside the LAN. The typical desired usage is as follows:



  1. Inside the LAN, my desktop computer retrieves email stored on the Pi card by accessing its POP3 service on port 110. This port is closed for outside traffic, so this is a secure and simple way to retrieve emails internally.
  2. n

  3. From outside the LAN, e.g. from my mobile phone, I access my emails using a POP3S (SSL) service, after opening port 995 for traffic and rerouting traffic on this port, from my router to the Pi card.  I use stunnel to wrap the internal POP3 service into a POP3S servive. Please refer to the stunnel documentation.
  4. n


Hence here are the steps I am taking:



  1. Install stunnel4 with apt-get
  2. n

  3. Generate a SSL certificate running:n
    sudo openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

    n This should give you a self signed cerificate for 365 days. You can change the period of days as you like.

  4. n

  5. Store this certificate in an apprpriate directory, e.g. /etc/stunnel
  6. n

  7. In the same directory create a stunnel configuration file corresponding to the pop3 service. In my case I call it pop3s.conf and the relevant content is as follow:n
    nclient = nonchroot = /var/lib/stunnel4nsetuid = stunnel4nsetgid = stunnel4npid = /stunnel4.pidndebug = 3noutput = /stunnel.logncert = /etc/stunnel/stunnel.pemnn[pop3s]naccept  = 995nconnect = 110n


  8. n

  9. In order for stunnel4 to be enabled, and to read the configuration files in /etc/stunnel, it is required to change the settings in the main configuration file /etc/default/stunnel4, setting ENABLED=1 (0 is the default).
  10. n

  11. Now by rebooting the system or by restarting stunnel with:n
    sudo /etc/init.d/stunnel4 restart

    n the stunnel4 daemon should be up and running. This can be tested withn

    ps -e | grep stunnel

    n which should results in a bunch of process-ids dedicated to this service.

  12. n

  13. Check that there is a listening port at 995 withn
    netstat -aln | grep 995

    n or telnet into it from another PC on the lann

    telnet raspberrypy 995


  14. n

  15. Finally make sure that the port 995 is open from outside and that your router forward communication through this port to your Pi card. I verify the functioning of my POP3S service from my Android phone using a SSL client on the phone. Typically for the first connection I need to accept the self signed cerificate sent from the Pi card. This is a good sign that is all up & running.
  16. n