5.9.How to Send SSL-encrypted Email

The mailing program that the OPC DataHub uses to transmit email (Blat) does not support SSL or TLS encryption. However, it is possible and very simple to create an SSL tunnel that converts the DataHub's plain-text mail connection into an SSL-encrypted connection, using a free tool called Stunnel. You simply need to install and configure the Stunnel program to act as a text-to-SSL converter.

Configuration

Stunnel needs to be installed on the same computer on which you run the OPC DataHub. Here's how to install and configure Stunnel:

  1. Download the current version of Stunnel from here:
    http://www.stunnel.org/download/binaries.html
  2. Install Stunnel using the default installation options by executing the installer:
    stunnel-n.nn-installer.exe
    This will create an Stunnel entry in the Start menu of your Windows desktop.
  3. Open your Windows Start menu, and from the Stunnel menu, select the Edit stunnel.conf option.
  4. In stunnel.conf, turn on client mode as follows:
    1. Find the entry within the file that says:
      ; Use it for client mode
      ; client = yes
    2. Remove the semicolon prior to client = yes and add the line verify = 0 so the file looks like this:
      ; Use it for client mode
      client = yes
      verify = 0
  5. In stunnel.conf, delete all lines in the configuration file following the comment Service-level configuration. These service configurations are simply examples.
  6. In stunnel.conf, add a service configuration section for your email server. For example, the following lines use Google Mail's SSL server for outgoing email:
    ; Service-level configuration
    
    [pseudo-ssmtp]
    accept = localhost:25
    connect = smtp.gmail.com:465
    You will need to modify smtp.gmail.com:465 to reflect the host name and port of your secure SMTP server. Normally the port will remain at 465, which is the standard port for SMTP over SSL.
  7. Save and close stunnel.conf.
  8. Modify your OPC DataHub configuration to use the SSL tunnel:
    Enter localhost for the SMTP Server and 25 for the Port, as configured in the stunnel.conf file. The User name and Password should be the user name and password expected by your actual SMTP server.
  9. Click the Apply button to submit your entries.
  10. Start Stunnel through the Windows Start menu. While testing, you can run Stunnel as a normal user. This will create an icon in the system tray that will allow you to examine the Stunnel log as connections are made.
  11. Test the tunnel by creating an email action and causing the email to be sent. If the Stunnel configuration is correct, the email will be sent. If it fails, consult the Stunnel log and the DataHub Script Log.
  12. When testing is complete, stop Stunnel using the icon in the Windows system tray.
  13. Install Stunnel as a service by selecting Service install from the Stunnel menu of the Windows Start menu.
  14. Start the Stunnel service by selecting Service start from the Stunnel menu of the Windows Start menu.

This completes the Stunnel configuration.

Sample stunnel.conf File

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = stunnel.pem
;key = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
client = yes
verify = 0

; Service-level configuration

[pseudo-ssmtp]
accept = localhost:25
connect = smtp.gmail.com:465