How to use stunnel to do SSL email in QTmail

From OESF

Howto: Use stunnel to do SSL in QTmail (the included Zaurus email client)

• Download from here: http://www.killefiz.de/zaurus/showdetail.php?app=605
• Documentation here: http://www.stunnel.org/

Why? QTmail on the Zaurus is a nice email client but does not include support for SSL. This is now becoming more common across the net, and is needed to access gmail accounts for example. I've written this Howto with the new user in mind so forgive the extra verbiage and please don't take offense if you are an old time kernel hacker...

A 20k foot view of the process: In order for this to work we will need to "trick" QTmail into connecting to the Zaurus instead of directly attempting to connect to the mail server. We will need to configure the Zaurus to accept the connection and then use an open source program called stunnel to make the outgoing connection via SSL. This is where running a full version of Linux comes in really handy.

The whole connection drawn out looks like this:

• QTmail ===> Zaurus/inetd ====> stunnel ====> gmail.com

This is easily done really. Begin by downloading and installing the ipk from the above link. Once that is done gather the information needed to connect to your mail provider. I'll use gmail in my examples but the process is the same for pretty much any provider and for any non ssl email client if you don't like QTmail for some reason.

First lets configure QTmail. In Mail-Account highlight and edit the account you are setting up or click new.

In the "Outgoing" tab enter your account information and authentication information as given to you by your email provider. Instead of the server and port info given to you by your provider - In the SMTP server box enter 127.0.0.1 (this is known as the loopback adapter and will cause QTmail to connect to the Zaurus instead of gmail) in the SMTP port box enter 10025. (SMTP normally runs on 25 but for simplicity I've moved our loopback connection up out of the way of anything else port wise)

Do the same in the "Incoming" tab. 127.0.0.1 and use 10110 for the port. (Same trick as above but the POP protocol normally runs on 110).

Next we will need to edit two system files. You will need root privilege to edit these files. You can do this very easily using Zeditor or some other editor - tap and hold on the Icon until the details dialog opens and check "Execute with root privilege". You can also open the terminal, type "su" and then use vi to edit the files.

• NOTE: If you've never used vi before - practice on un-important files until you are confident enough to mess around where sysadmins roam.

• Disclaimer - editing the following files is not difficult, but will have effects on your network configuration. If you really mess up it could make your network connections non-functional. I recommend making backup copies of these files before you edit.

First we will need to create a couple of entries in /etc/services. Open the file and just go to the very bottom. Add the following:

#
# stunnel entries
#
gmail-pop3s	10110/tcp
gmail-smtps	10025/tcp
 

This will allow inetd (the Linux network deamon) to put a label on what protocol is connecting to ports 10110 and 10025. Save the file and close it.

Next we need to add a couple of lines to /etc/inetd.conf. Go to the bottom of that file and add:

2. stunnel entries

gmail-pop3s stream tcp nowait root /usr/sbin/tcpd /usr/sbin/stunnel -r pop.gmail.com:995 -c gmail-smtps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/stunnel -r smtp.gmail.com:465 -c

This tells inetd what to do when it receives a connection on those ports we setup in the services file. In these cases it's launch /usr/sbin/stunnel as a client connecting to the gmail servers. If you are connecting to another service make your changes here and make sure to include the correct ports after the the colon. (Gmail uses 995 and 465) Save and close this file.

Now we need to do one more thing before we test the connection. Restart inetd. (Inetd reads it's configuration file only when it first starts) Open a terminal, su, and issue the following command.

killall -hup inetd

(killing most deamons with -hup is like playing whack-a-mole. The deamon will stop but a new one will "re-spawn" to take it's place)

Now go test your email account. You should be able to send and receive if you haven't made any typos. It's a bit slower than a direct pop/smtp connection but remember you are now encrypting everything between the Zaurus and your email provider and that takes up more than a few processor cycles.

Hope someone finds this useful - Shawn smammon@gmail.com