SSL, Outlook 2007 & CrossOver

by Daniel Colquitt on August 15, 2009 As I mentioned in my previous post, although Outlook 2007 installs and runs on Linux using CrossOver, there are a few problems. Perhaps one of the more noticeable problems is the inability of Outlook to connect to POP/IMAP/SMTP servers via SSL. However, as is always the case with Linux there is a work around in the form of Stunnel, which is a SSL wrapper.Below is instructions on how to install and set up Stunnel together with Outlook 2007 in order to be able to send and receive email using SSL connections

1. Install stunnel
This can be done using your distributions package manager. For example, if you are using Ubuntu the command would be sudo apt-get install stunnel4 Alternatively, you can download the source code (from here) and compile it yourself.

2. Change directory to the folder where stunnel was installed

cd /etc/stunnel

3. Generate the SSL certificate

openssl req -new -x509 -days 3650 -nodes -out mail.pem keyout mail.pem

This will call OpenSSL to create a new X.509 certificate that is valid for 10 years (3650 days) and store the certificate and the key in file mail.pem. You will be prompted to enter some information that we be incorporated into the certificate.

4. Change the permissions on the certificate file

sudo chmod 640 /etc/stunnel/mail.pem

5. Edit the configuration file

There is a number of lines that need to be uncommented and edited in order to configure stunnel to work correctly. Firstly, we need to uncomment the line which specifies the location of the certificate
cert = /etc/stunnel/mail.pem

Next, we need to turn on the debugging options. These can be turned off later once we have stunnel working correctly.
debug = 7 output = /var/log/stunnel4/stunnel.log Activate client mode client = yes

Now comes the more difficult part: setting up the tunneling. 5. (b) Setting up the tunnelling

Scrolling down to the bottom of the configuration file you will find so-called service blocks, which define the start and end-points of the tunnels. For example, there are three template service blocks already in place. The first one is for POP mail,
;[pop3s] ;accept = 995 ;connect = 110

This will take traffic from port 995 and tunnel it to 110. So you can set up a program/daemon to communicate through port 995 and stunnel will tunnel the communications through port 110. Now, you will need to set up one service block for each email service that you wish to connect to. So if you only use one email account you will need two service blocks: one for receiving (POP/IMAP) and one for sending (SMTP). In order to set up a service block, you need two pieces for information: the server address and port of your email provider. This information can usually be obtained from your email providers website. You also need to chose a port to forward from, this port should not be in use by any other protocol. The format of a service block should be of the form,
[blockname] accept=127.0.0.1:in_port connect=server:out_port[Gmail-IMAP]

So for example, if you want to connect to Googlemail via IMAP then the service block would take the form,
accept=127.0.0.1:3000 connect=imap.gmail.com:993

You would also need to configure the SMTP protocol, taking care to specify a different port,
[Gmail-SMTP] accept=127.0.0.1:3001 connect=smtp:gmail.com:465

The IP address 127.0.0.1 is the loopback IP address, and is equivalent to using localhost.

6. Start stunnel4
sudo stunnel4

7. Configure Outlook
Outlook can be configured using the standard set-up wizard. Tools > Account Settings > New. Fill in the details as usual, except that instead of using your email providers incoming and outgoing sever settings, you should use your localhost, i.e. 127.0.0.1, together with the appropriate ports as specified in your stunnel.conf file. So, continuing with out Gmail example above, both your incomming and outgoing severs would be 127.0.0.1 and your incomming port would be 3000, with your outgoing port being 3001. Please note: Do not select any encryption on either protocol. With stunnel set up correctly, Outlook will trasmit data to 127.0.0.1 (your computer), stunnel will then encrypt the data, using your certificate and then transmit it to the appropriate server. Outlook should now be able to send and receive emails using the account that you have just set up. If there are no problems, you can deactivate debugging in the stunnel.conf file, but commenting out the appropriate lines.

8. Configure stunnel to start when Outlook starts

Stunnel can be a little temperamental if it is started at boot time, or before an internet connection is established. I have not yet found a satisfactory method of automatically starting Stunnel, any suggestions would be most welcome. Credit: This HOWTO was based on this forum post, with a few additions and modifications.