Cox has been warning us that as of next week, we need to use encrypted POP and SMTP. I have two reasons to use stunnel now: 1) I use the K9 Bayesian email proxy for spam filtering, and it doesn't do TLS 2) My wife still uses Eudora and doesn't want to switch, and while Eudora allegedly supports TLS, it's not trivial to make it work (and Cox certainly won't help) Thus stunnel looks like an ideal solution. But after tinkering for a few hours on two machines, I'm stumped. While I can type an SMTP or POP transaction in my sleep, I'm not so good at typing a TLS handshake, so I'm using Outlook 2013 as my test platform (and that's what I'll be using myself later anyway). I setup a new account, point to the right ports on 127.0.0.1, and the test times out, with: Log onto incoming mail server (POP3): The operation timed out waiting for a response from the receiving (POP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP). Send test e-mail message: The operation timed out waiting for a response from the sending (SMTP) server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP). Here's my stunnel.conf, with blank lines and comments removed: client = yes output = C:\temp\stunnel-log.txt taskbar = yes debug = 7 [POP3 Incoming] protocol = pop3 accept = 127.0.0.1:1110 connect = pop.cox.net:995 protocol = smtp accept = 127.0.0.1:25 connect = smtp.cox.net:465 Yes, that's port 1110, since K9 is using 110. Shouldn't matter, right? (As long as I point the client at 1110, obviously!) Yes, I have protocol = pop3 and protocol = smtp; I've tried commenting them out individually, no change that I can see. Yes, I'm running stunnel explicitly, not as a service-I found threads suggesting that it just doesn't work as a service on Windows 7 for some reason (and in fact beat my head against that wall for a while first). And here's the stunnel log: 2018.01.17 21:29:24 LOG7[main]: Running on Windows 6.1 2018.01.17 21:29:24 LOG7[main]: No limit detected for the number of clients 2018.01.17 21:29:24 LOG5[main]: stunnel 5.44 on x86-pc-msvc-1500 platform 2018.01.17 21:29:24 LOG5[main]: Compiled/running with OpenSSL 1.0.2m-fips 2 Nov 2017 2018.01.17 21:29:24 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2018.01.17 21:29:24 LOG7[main]: errno: (*_errno()) 2018.01.17 21:29:24 LOG7[ui]: GUI message loop initialized 2018.01.17 21:29:24 LOG7[main]: Running on Windows 6.1 2018.01.17 21:29:24 LOG5[main]: Reading configuration from file stunnel.conf 2018.01.17 21:29:24 LOG5[main]: UTF-8 byte order mark not detected 2018.01.17 21:29:24 LOG5[main]: FIPS mode disabled 2018.01.17 21:29:24 LOG7[main]: Compression disabled 2018.01.17 21:29:24 LOG7[main]: Snagged 64 random bytes from C:/.rnd 2018.01.17 21:29:24 LOG7[main]: Wrote 0 new random bytes to C:/.rnd 2018.01.17 21:29:24 LOG7[main]: PRNG seeded successfully 2018.01.17 21:29:24 LOG6[main]: Initializing service [POP3 Incoming] 2018.01.17 21:29:24 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2 2018.01.17 21:29:24 LOG7[main]: TLS options: 0x03000004 (+0x03000000, -0x00000000) 2018.01.17 21:29:24 LOG7[main]: No certificate or private key specified 2018.01.17 21:29:24 LOG4[main]: Service [POP3 Incoming] needs authentication to prevent MITM attacks 2018.01.17 21:29:24 LOG5[main]: Configuration successful 2018.01.17 21:29:24 LOG7[main]: Binding service [POP3 Incoming] 2018.01.17 21:29:24 LOG7[main]: Listening file descriptor created (FD=460) 2018.01.17 21:29:24 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2018.01.17 21:29:24 LOG7[main]: Service [POP3 Incoming] (FD=460) bound to 127.0.0.1:1110 2018.01.17 21:29:24 LOG7[main]: Listening file descriptor created (FD=464) 2018.01.17 21:29:24 LOG7[main]: Option SO_EXCLUSIVEADDRUSE set on accept socket 2018.01.17 21:29:24 LOG7[main]: Service [POP3 Incoming] (FD=464) bound to 127.0.0.1:25 2018.01.17 21:29:24 LOG7[cron]: Cron thread initialized 2018.01.17 21:29:50 LOG7[main]: Found 1 ready file descriptor(s) 2018.01.17 21:29:50 LOG7[main]: FD=424 ifds=r-x ofds=--- 2018.01.17 21:29:50 LOG7[main]: FD=460 ifds=r-x ofds=r-- 2018.01.17 21:29:50 LOG7[main]: Service [POP3 Incoming] accepted (FD=488) from 127.0.0.1:54855 2018.01.17 21:29:50 LOG7[main]: Creating a new thread 2018.01.17 21:29:50 LOG7[main]: New thread created 2018.01.17 21:29:50 LOG7[0]: Service [POP3 Incoming] started 2018.01.17 21:29:50 LOG7[0]: Option TCP_NODELAY set on local socket 2018.01.17 21:29:50 LOG5[0]: Service [POP3 Incoming] accepted connection from 127.0.0.1:54855 2018.01.17 21:29:50 LOG6[0]: failover: round-robin, starting at entry #1 2018.01.17 21:29:50 LOG6[0]: s_connect: connecting 68.6.19.8:465 2018.01.17 21:29:50 LOG7[0]: s_connect: s_poll_wait 68.6.19.8:465: waiting 10 seconds 2018.01.17 21:29:50 LOG5[0]: s_connect: connected 68.6.19.8:465 2018.01.17 21:29:50 LOG5[0]: Service [POP3 Incoming] connected remote server from 192.168.1.17:54856 2018.01.17 21:29:50 LOG7[0]: Option TCP_NODELAY set on remote socket 2018.01.17 21:29:50 LOG7[0]: Remote descriptor (FD=508) initialized 2018.01.17 21:30:24 LOG6[cron]: Executing cron jobs 2018.01.17 21:30:24 LOG6[cron]: Cron jobs completed in 0 seconds 2018.01.17 21:30:24 LOG7[cron]: Waiting 86400 seconds 2018.01.17 21:31:05 LOG7[main]: Found 1 ready file descriptor(s) 2018.01.17 21:31:05 LOG7[main]: FD=424 ifds=r-x ofds=--- 2018.01.17 21:31:05 LOG7[main]: FD=460 ifds=r-x ofds=--- 2018.01.17 21:31:05 LOG7[main]: Service [POP3 Incoming] accepted (FD=528) from 127.0.0.1:54891 2018.01.17 21:31:05 LOG7[main]: Creating a new thread 2018.01.17 21:31:05 LOG7[main]: New thread created 2018.01.17 21:31:05 LOG7[1]: Service [POP3 Incoming] started 2018.01.17 21:31:05 LOG7[1]: Option TCP_NODELAY set on local socket 2018.01.17 21:31:05 LOG5[1]: Service [POP3 Incoming] accepted connection from 127.0.0.1:54891 2018.01.17 21:31:05 LOG6[1]: failover: round-robin, starting at entry #0 2018.01.17 21:31:05 LOG6[1]: s_connect: connecting 146.20.147.245:995 2018.01.17 21:31:05 LOG7[1]: s_connect: s_poll_wait 146.20.147.245:995: waiting 10 seconds 2018.01.17 21:31:05 LOG5[1]: s_connect: connected 146.20.147.245:995 2018.01.17 21:31:05 LOG5[1]: Service [POP3 Incoming] connected remote server from 192.168.1.17:54892 2018.01.17 21:31:05 LOG7[1]: Option TCP_NODELAY set on remote socket 2018.01.17 21:31:05 LOG7[1]: Remote descriptor (FD=336) initialized 2018.01.17 21:34:05 LOG3[1]: Unexpected socket close (s_read) 2018.01.17 21:34:05 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2018.01.17 21:34:05 LOG7[1]: Remote descriptor (FD=336) closed 2018.01.17 21:34:05 LOG7[1]: Local descriptor (FD=528) closed 2018.01.17 21:34:05 LOG7[1]: Service [POP3 Incoming] finished (1 left) 2018.01.17 21:34:05 LOG7[1]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) 2018.01.17 21:34:05 LOG7[1]: str_stats: 32 byte(s) at ..\src\network.c:680 2018.01.17 21:34:50 LOG6[0]: s_read: s_poll_wait: TIMEOUTbusy exceeded: sending reset 2018.01.17 21:34:50 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2018.01.17 21:34:50 LOG7[0]: Remote descriptor (FD=508) closed 2018.01.17 21:34:50 LOG7[0]: Local descriptor (FD=488) closed 2018.01.17 21:34:50 LOG7[0]: Service [POP3 Incoming] finished (0 left) 2018.01.17 21:34:50 LOG7[0]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) 2018.01.17 21:34:50 LOG7[0]: str_stats: 32 byte(s) at ..\src\network.c:680 It looks like it connects, but then just sits there?! I see these: No certificate or private key specified Service [POP3 Incoming] needs authentication to prevent MITM attacks but that's during startup. Or are those significant? I feel like I'm one setting away from having this all work.! Thanks in advance for any suggestions. -- ...phsiii