Using Norton AntiVirus With POP3 Over SSL

I didn’t find this anywhere online, so I thought I’d post it. Norton AntiVirus up to and including 2007 doesn’t support POP3 over SSL. That’s a problem since sending mail without SSL is insecure, and sending mail over SSL with no virus scanning is also insecure. There is a fix.

Please note these directions, and intended to be a casual guide for experienced individuals. I’m not providing assistance or support.

  1. Download stunnel and install it.
  2. Open up the stunnel.conf file (either through the Start Menu —> Stunnel —> Edit stunnel.conf, or navigate to the file yourself.
  3. For each mail server you use, create an entry as follows. Replace mail.myisp.com with your mail server. Also make sure you set the appropriate port (995 is typically fine). Make sure the accept port is different for each one.
    client=yes
    accept=127.0.0.1:110
    connect=mail.myisp.com:995
    
  4. Start Menu —> Stunnel —> Service install
  5. Start Menu —> Stunnel —> Service start
  6. Now configure your email client to use the following information:
    Server: localhost
    Port: 110 (or whatever port that account was set to use up above)
    

    SSL should be off (the SSL connection is now terminated at stunnel, which uses the local loopback interface to send mail to your mail client on port 110. So mail is sent over the web in SSL, but locally in plain text (where an AV can sniff it).

  7. Test it out.

Important Last step

Up to now it should be working, but it’s using a generic key. This means everyone who downloads stunnel has the key. You need your own. There are good directions for that from available here. You can create one with a copy of OpenSSL (it’s up to you to get it for Windows, or hop on a Unix box for this step). I should note that the stunnel.cnf file is missing in the Windows binaries as of Stunnel 4.20 (don’t ask me why). If your going to gen a key on windows use the following in a text file named stunnel.cnf:

# create RSA certs - Server

RANDFILE = stunnel.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = PL
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Stunnel Developers Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

0.commonName                    = Common Name (FQDN of your server)
0.commonName_default            = localhost

# To create a certificate for more than one name uncomment:
# 1.commonName                  = DNS alias of your server
# 2.commonName                  = DNS alias of your server
# ...
# See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
# to see how Netscape understands commonName.

[ cert_type ]
nsCertType = server

This is from the source code of version 4.20.

From there you can effectively use the following commands (from the above linkage):

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

Change 365 to something higher if you don’t want to do this on a yearly basis. Though may not be a bad idea to do annually. Answer the prompts as required. Make sure the Common Name is set to “localhost”.

Followed by:

openssl gendh 512 >> stunnel.pem

Make sure your cert.pem is in your stunnel directory, stop the service and start it again. From now on you should be good to go.

So that’s it. Now you have SSL encrypted mail connections, with support for AntiVirus scanning. This will work for any mail host that uses POP3 over SSL including Gmail.

One thought on “Using Norton AntiVirus With POP3 Over SSL

  1. I’ve learn several good stuff here. Certainly price bookmarking for revisiting. I wonder how much effort you put to create this kind of magnificent informative website. – City Escorts 4U, 14, Ward Point, Hotspur Street, London, SE11 6UF, 020 3011 2771

Leave a Reply

Your email address will not be published. Required fields are marked *