Tidymail via stunnel

For PC clients that cannot connect securely themselves there is an option to use an additional program to perform the secure connections on behalf of your email client. This program is called stunnel. What follows are some notes on how to configure stunnel for use with Ameol but could be used for other email clients. These are taken and adapted from the thread on cix you can find at cix:merula.wizards/general2:3283 along with some other adaptations.

1) Download “stunnel” here –

stunnel: Downloads

IMPORTANT: If you previously downloaded an earlier version it is important you upgrade to at least version 5.14 as this contains an important security fix.

2) Install on your Ameol machine. You’ll be prompted for a bunch of parameters to use to generate a certificate. Just co-opereate, though as far as I can tell, in client mode it doesn’t use that cert.

3) Go to the install directory (c:\program files\stunnel)

4) Edit (notepad is fine) the “stunnel.conf” file.

You’ll find 95% of the file is commented out. You can ignore, so far as I can yet tell, all of it down to the line that says “Example SSL client mode services. (NOTE client not server, just pass the server section by).

You will see three entries thus:

client = yes
accept =
connect = pop.gmail.com:995

client = yes
accept =
connect = imap.gmail.com:993

client = yes
accept =
connect = smtp.gmail.com:465

CHANGE THESE three entries thus:-

client = yes
accept =
connect = pop.tidymail.co.uk:995
CAfile = Tidymail_CA_Certificates.pem
verify = 2

client = yes
accept =
connect = imap.tidymail.co.uk:993
CAfile = Tidymail_CA_Certificates.pem
verify = 2

client = yes
accept =
connect = post.tidymail.co.uk:465
CAfile = Tidymail_CA_Certificates.pem
verify = 2

SAVE the conf file.

DOWNLOAD the following URL https://tidymail.co.uk/Tidymail_CA_Certificates.pem and store in the same directory as the conf file.

START the proxy – just double-click the “Stunnel” icon it will have put on your desktop or Start bar during install. Once it’s started you should see the Stunnel icon on in your system tray. Optionally right-click on that and ask it to display the LOG.

5) Change your AMEOL config so that instead of “pop.wizards.co.uk” and
“post.wizards.co.uk” it accesses “”


If you have the Stunnel log window open you should see something like


2014.03.23 17:27:30 LOG5[3196]: Service [tidymail-smtp] accepted connection from
2014.03.23 17:27:30 LOG5[3196]: s_connect: connected
2014.03.23 17:27:30 LOG5[3196]: Service [tidymail-smtp] connected remote server from
2014.03.23 17:27:30 LOG5[3196]: Certificate accepted: depth=0, subject=/serialNumber=2-0omwbEjRpWOF2AyK2Hpvw0dgXLDUKi/C=GB/O=post.tidymail.co.uk/OU=GT71737913/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=post.tidymail.co.uk
2014.03.23 17:27:57 LOG5[3196]: Connection closed: 6 byte(s) sent to SSL, 146 byte(s) sent to socket

(This shows a successful connection to post.tidymail on port 465 (using SSL) where actually Ameol just connected to Stunnel using port 25 and no SSL.)


2014.03.23 17:29:02 LOG5[3416]: Service [tidymail-pop3] accepted connection from
2014.03.23 17:29:02 LOG5[3416]: s_connect: connected
2014.03.23 17:29:02 LOG5[3416]: Service [tidymail-pop3] connected remote server from
2014.03.23 17:29:02 LOG5[3416]: Certificate accepted: depth=0, subject=/serialNumber=zyuSPCbbLiCTz/V0UPhIc8nUj9lkQxOU/OU=GT67619738/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=pop.tidymail.co.uk
2014.03.23 17:29:07 LOG5[3416]: Connection closed: 6 byte(s) sent to SSL, 46 byte(s) sent to socket

A connection to pop.tidymail.co.uk on port 995 using SSL, where Ameol will have connected to Stunnel on port 110 and no SSL.