auto4certbot/certbot4mail/examples/stunnel.conf

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; It is recommended to drop root privileges if stunnel is started by root
;setuid = stunnel4
;setgid = stunnel4

; PID file is created inside the chroot jail (if enabled)
pid = /var/run/stunnel4/stunnel.pid

; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
;debug = info
output = /var/log/stunnel4/stunnel.log

; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Enable support for the insecure SSLv3 protocol
options = -NO_SSLv3
sslVersion = TLSv1.2

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Include all configuration file fragments from the specified folder     *
; **************************************************************************

;include = /etc/stunnel/conf.d

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; ***************************************** Example TLS client mode services

; The following examples use /etc/ssl/certs, which is the common location
; of a hashed directory containing trusted CA certificates.  This is not
; a hardcoded path of the stunnel package, as it is not related to the
; stunnel configuration in /etc/stunnel/.

;[mydomen-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop3.mydomen.ru:995
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = pop3s.mydomen.ru
;OCSPaia = yes

;[mydomen-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.mydomen.ru:993
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = imaps.mydomen.ru
;OCSPaia = yes

;[mydomen-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.mydomen.ru:465
;verifyChain = yes
;CApath = @sysconfdir/ssl/certs
;checkHost = smtps.mydomen.ru
;OCSPaia = yes

; ***************************************** Example TLS server mode services

[pop3s]
accept  = 10.2.2.8:995
connect = 10.2.2.8:110
cert=/etc/letsencrypt/live/mail.mydomen.ru/fullchain.pem
key=/etc/letsencrypt/live/mail.mydomen.ru/privkey.pem

[imaps]
accept  = 10.2.2.8:993
connect = 10.2.2.8:143
cert=/etc/letsencrypt/live/mail.mydomen.ru/fullchain.pem
key=/etc/letsencrypt/live/mail.mydomen.ru/privkey.pem

[smtps]
accept  = 10.2.2.8:465
connect = 10.2.2.8:587
cert=/etc/letsencrypt/live/mail.mydomen.ru/fullchain.pem
key=/etc/letsencrypt/live/mail.mydomen.ru/privkey.pem

; TLS front-end to a web server
;[https]
;accept  = 443
;connect = 80
;cert = /etc/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0

; Remote shell protected with PSK-authenticated TLS
; Create "/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;[shell]
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;ciphers = PSK
;PSKsecrets = /etc/stunnel/secrets.txt

; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
;[mysql]
;cert = /etc/stunnel/stunnel.pem
;accept = 3307
;connect = /run/mysqld/mysqld.sock

; vim:ft=dosini