install stunnel4
apt update
apt install stunnel
Create certificate file from Lets Encrypt
vim /root/renew-cert.sh
#!/bin/bash
(cat /etc/letsencrypt/live/wiki.lexodexo.de/privkey.pem ; echo ""; cat /etc/letsencrypt/live/wiki.lexodexo.de/cert.pem; echo "") > /etc/stunnel/stunnel.pem
configuring incoming IMAP traffic
vim /etc/stunnel/ssl_in.conf
; /etc/stunnel/ssl_in.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /srv1.pid
debug = 4
;output = /tmp/incoming.log
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[ssl_in_imap]
accept = 993
connect = localhost:10993
configuring outgoing IMAP traffic
vim /etc/stunnel/ssl_out.conf
; /etc/stunnel/ssl_out.conf
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /clt1.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client=yes
CAfile = clt1.ca
verify = 0
[ssl_out_imap]
accept = 10993
connect = imap.example.com:993
iptables
# Allow outgoing IMAPs from container
ip6tables -A OUTPUT -s 2a03:4000:48:663::f002/128 -p tcp --dport 993 -j ACCEPT
# Allow incoming IMAPs to container
ip6tables -A FORWARD -d 2a03:4000:48:663::f002/128 -p tcp --dport 993 -j ACCEPT
# Allow IMAPs to/from container with IPv4 NAT
iptables -t nat -A PREROUTING -i ens3 -d 45.132.244.96 -p tcp --dport 993 -j DNAT --to 10.20.30.101:993
iptables -t nat -A POSTROUTING -s '10.20.30.0/24' -o ens3 -j MASQUERADE
restart and test
systemctl restart stunnel4
journalctl -u stunnel4 --follow