; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; It is recommended to drop root privileges if stunnel is started by root ;setuid = stunnel4 ;setgid = stunnel4 ; PID file is created inside the chroot jail (if enabled) pid = /var/run/stunnel4/stunnel.pid ; Debugging stuff (may be useful for troubleshooting) ;foreground = yes ;debug = info output = /var/log/stunnel4/stunnel.log ; Enable FIPS 140-2 mode if needed for compliance ;fips = yes fips = no ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Enable support for the insecure SSLv3 protocol options = -NO_SSLv3 sslVersion = TLSv1.2 ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; ************************************************************************** ;include = /etc/stunnel/conf.d ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** ; ***************************************** Example TLS client mode services ; The following examples use /etc/ssl/certs, which is the common location ; of a hashed directory containing trusted CA certificates. This is not ; a hardcoded path of the stunnel package, as it is not related to the ; stunnel configuration in /etc/stunnel/. ;[mydomen-pop3] ;client = yes ;accept = 127.0.0.1:110 ;connect = pop3.mydomen.ru:995 ;verifyChain = yes ;CApath = @sysconfdir/ssl/certs ;checkHost = pop3s.mydomen.ru ;OCSPaia = yes ;[mydomen-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.mydomen.ru:993 ;verifyChain = yes ;CApath = @sysconfdir/ssl/certs ;checkHost = imaps.mydomen.ru ;OCSPaia = yes ;[mydomen-smtp] ;client = yes ;accept = 127.0.0.1:25 ;connect = smtp.mydomen.ru:465 ;verifyChain = yes ;CApath = @sysconfdir/ssl/certs ;checkHost = smtps.mydomen.ru ;OCSPaia = yes ; ***************************************** Example TLS server mode services [pop3s] accept = 10.2.2.8:995 connect = 10.2.2.8:110 cert=/etc/letsencrypt/live/mail.mydomen.ru/fullchain.pem key=/etc/letsencrypt/live/mail.mydomen.ru/privkey.pem [imaps] accept = 10.2.2.8:993 connect = 10.2.2.8:143 cert=/etc/letsencrypt/live/mail.mydomen.ru/fullchain.pem key=/etc/letsencrypt/live/mail.mydomen.ru/privkey.pem [smtps] accept = 10.2.2.8:465 connect = 10.2.2.8:587 cert=/etc/letsencrypt/live/mail.mydomen.ru/fullchain.pem key=/etc/letsencrypt/live/mail.mydomen.ru/privkey.pem ; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 ;cert = /etc/stunnel/stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; Remote shell protected with PSK-authenticated TLS ; Create "/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs ;[shell] ;accept = 1337 ;exec = /bin/sh ;execArgs = sh -i ;ciphers = PSK ;PSKsecrets = /etc/stunnel/secrets.txt ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket ;[mysql] ;cert = /etc/stunnel/stunnel.pem ;accept = 3307 ;connect = /run/mysqld/mysqld.sock ; vim:ft=dosini