I didn’t find this anywhere online, so I thought I’d post it. Norton AntiVirus up to and including 2007 doesn’t support POP3 over SSL. That’s a problem since sending mail without SSL is insecure, and sending mail over SSL with no virus scanning is also insecure. There is a fix.
Please note these directions, and intended to be a casual guide for experienced individuals. I’m not providing assistance or support.
- Download stunnel and install it.
- Open up the
stunnel.conffile (either through the Start Menu —> Stunnel —> Edit stunnel.conf, or navigate to the file yourself.
- For each mail server you use, create an entry as follows. Replace mail.myisp.com with your mail server. Also make sure you set the appropriate port (995 is typically fine). Make sure the accept port is different for each one.
client=yes accept=127.0.0.1:110 connect=mail.myisp.com:995
- Start Menu —> Stunnel —> Service install
- Start Menu —> Stunnel —> Service start
- Now configure your email client to use the following information:
Server: localhost Port: 110 (or whatever port that account was set to use up above)
SSL should be off (the SSL connection is now terminated at stunnel, which uses the local loopback interface to send mail to your mail client on port 110. So mail is sent over the web in SSL, but locally in plain text (where an AV can sniff it).
- Test it out.
Important Last step
Up to now it should be working, but it’s using a generic key. This means everyone who downloads stunnel has the key. You need your own. There are good directions for that from available here. You can create one with a copy of OpenSSL (it’s up to you to get it for Windows, or hop on a Unix box for this step). I should note that the
stunnel.cnf file is missing in the Windows binaries as of Stunnel 4.20 (don’t ask me why). If your going to gen a key on windows use the following in a text file named
# create RSA certs - Server RANDFILE = stunnel.rnd [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type [ req_dn ] countryName = Country Name (2 letter code) countryName_default = PL countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Some-State localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Stunnel Developers Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = 0.commonName = Common Name (FQDN of your server) 0.commonName_default = localhost # To create a certificate for more than one name uncomment: # 1.commonName = DNS alias of your server # 2.commonName = DNS alias of your server # ... # See http://home.netscape.com/eng/security/ssl_2.0_certificate.html # to see how Netscape understands commonName. [ cert_type ] nsCertType = server
This is from the source code of version 4.20.
From there you can effectively use the following commands (from the above linkage):
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
Change 365 to something higher if you don’t want to do this on a yearly basis. Though may not be a bad idea to do annually. Answer the prompts as required. Make sure the Common Name is set to “localhost”.
openssl gendh 512 >> stunnel.pem
Make sure your cert.pem is in your stunnel directory, stop the service and start it again. From now on you should be good to go.
So that’s it. Now you have SSL encrypted mail connections, with support for AntiVirus scanning. This will work for any mail host that uses POP3 over SSL including Gmail.