My email service provider has recently pulled the plug on TLS 1.0/1.1 support as they reached end-of-life. This means old email clients not written for TLS 1.2 and above will not work when it tries to connect to the server with SSL support!
Google did this in 2014 but offered a compatibility option called “allow less secure clients”. Back then I didn’t know it means TLS 1.0/1.1 until I learned it the hard way when my shared hosting email provider pulled the plug on the old TLS protocols and I scrambled to figure out my email stopped working with cryptic IMAP errors (like suggesting my computer might be lacking memory, which is not true).
Stunnel config that needs to be changed from defaults. If stunnel was installed by entware (opkg), the config file is in
- Disable (comment out) drop privileges
- Remove the [dummy] section since we are going to set up sections for each (server, port) pair. stunnel won’t start without any port forwarding sections.
- It already has an [imap] section that’s commented out. Change the local port number and the target server url:port to your liking. Do [pop] if you use POP3 email instead of SMTP
- Do the same by adding a [smtp] section for outgoing email
Can look at the log by just executing
stunnel. Use Ctrl+C to quit monitoring the logs.
Of course you want to make sure the
stunnel service/server is always started on boot. If you are using entware (or jffs scripts) for your router, add the call to
/jffs/scripts/post-mount and make sure you set the script to executable so it’ll run:
#!/bin/sh ... stunnel
Note that it’s post-mount because entware packages are installed on persistent storage (like USB drive or SD card in your router) that needs to be mounted before the files can even be read.
Remember to go to your old email client and change the email server address to computer running
stunnel service (can be the same computer as the client, a raspberry pi, or a router)
45 total views, 1 views today