Use old email clients (like outlook express and Windows Live Mail) with SSL email servers after TLS 1.0/1.1 support ended

My email service provider has recently pulled the plug on TLS 1.0/1.1 support as they reached end-of-life. This means old email clients not written for TLS 1.2 and above will not work when it tries to connect to the server with SSL support!

Google did this in 2014 but offered a compatibility option called “allow less secure clients”. Back then I didn’t know it means TLS 1.0/1.1 until I learned it the hard way when my shared hosting email provider pulled the plug on the old TLS protocols and I scrambled to figure out my email stopped working with cryptic IMAP errors (like suggesting my computer might be lacking memory, which is not true).

One method to continue using the old clients is through tunneling. You use something line sTunnel to act as a non-SSL server to your email client (usually localhost if installed on the same computer as the email client) and the tunnel server will on your behalf talk to the real email server with proper TLS settings (provided by your email service provider).


Stunnel config that needs to be changed from defaults. If stunnel was installed by entware (opkg), the config file is in /opt/etc/stunnel/stunnel.conf.

  1. Disable (comment out) drop privileges
  2. Remove the [dummy] section since we are going to set up sections for each (server, port) pair. stunnel won’t start without any port forwarding sections.
  3. It already has an [imap] section that’s commented out. Change the local port number and the target server url:port to your liking. Do [pop] if you use POP3 email instead of SMTP
  4. Do the same by adding a [smtp] section for outgoing email

You might need to comment out

; You might need to comment out this drop privilege (3rd line in default conf file)
;setgid = nogroup

; Examples of forward sections with a '50' prefix to SSL port numbers to 'convert it to non-SSL' heading to stunnel
[imap]
client = yes
accept = 50993
connect = target_server:993


[smtp]
client = yes
accept = 50465
connect = target_server:465

Can look at the log by just executing stunnel. Use Ctrl+C to quit monitoring the logs.

Of course you want to make sure the stunnel service/server is always started on boot. If you are using entware (or jffs scripts) for your router, add the call to stunnel to /jffs/scripts/post-mount and make sure you set the script to executable so it’ll run:

#!/bin/sh
...
stunnel

Note that it’s post-mount because entware packages are installed on persistent storage (like USB drive or SD card in your router) that needs to be mounted before the files can even be read.

Remember to go to your old email client and change the email server address to computer running stunnel service (can be the same computer as the client, a raspberry pi, or a router). Unless you are managing a company with many old email clients, I recommend installing and configuring stunnel on the same OS which the old mail program runs instead of relying on a centralized router to manage it because it’d be very confusing if the centralized stunnel service is down and you don’t get any warnings that are not cryptic (as mentioned at the beginning of this article).

Loading