5.9. How to Send SSL-encrypted Email
The
mailing program that the OPC DataHub uses to transmit email
(Blat) does not support SSL or TLS encryption. However, it
is possible and very simple to create an SSL tunnel that
converts the DataHub's plain-text mail connection into an
SSL-encrypted connection, using a free tool called
Stunnel. You simply need to install
and configure the Stunnel program to act as a text-to-SSL
converter.
Configuration
Stunnel needs to be installed on the same computer on
which you run the OPC DataHub. Here's how to install and
configure Stunnel:
Download the current version of Stunnel from here:
http://www.stunnel.org/download/binaries.html
Install Stunnel using the default installation
options by executing the installer:
stunnel-n.nn-installer.exe
This will create an entry
in the menu of your Windows
desktop.
- Open your Windows menu, and
from the menu, select
the
option.
In stunnel.conf, turn on client
mode as follows:
Find the entry within the file that says:
; Use it for client mode
; client = yes
Remove the semicolon prior to client =
yes and add the line verify =
0 so the file looks like this:
; Use it for client mode
client = yes
verify = 0
- In stunnel.conf, delete all
lines in the configuration file following the comment
Service-level configuration. These
service configurations are simply examples.
In stunnel.conf, add a service
configuration section for your email server. For example,
the following lines use Google Mail's SSL server for
outgoing email:
; Service-level configuration
[pseudo-ssmtp]
accept = localhost:25
connect = smtp.gmail.com:465
You will need to modify
smtp.gmail.com:465 to reflect the host
name and port of your secure SMTP server. Normally the
port will remain at 465, which is the
standard port for SMTP over SSL.
- Save and close stunnel.conf.
Modify your OPC DataHub configuration to use the SSL tunnel:
Enter localhost for the
SMTP Server and
25 for the
Port, as configured in the
stunnel.conf file. The
User name and
Password should be the user name and
password expected by your actual SMTP server.
- Click the Apply button to
submit your entries.
- Start Stunnel through the Windows
menu. While testing, you can run
Stunnel as a normal user. This will create an icon in the
system tray that will allow you to examine the Stunnel log
as connections are made.
- Test the tunnel by creating an email
action and causing the email to be sent. If the
Stunnel configuration is correct, the email will be sent.
If it fails, consult the Stunnel log and the DataHub Script Log.
- When testing is complete, stop Stunnel using the
icon in the Windows system tray.
- Install Stunnel as a service by selecting
from the
menu of the Windows
menu.
- Start the Stunnel service by selecting
from the
menu of the Windows
menu.
This completes the Stunnel configuration.
Sample stunnel.conf File
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = stunnel.pem
;key = stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log
; Use it for client mode
client = yes
verify = 0
; Service-level configuration
[pseudo-ssmtp]
accept = localhost:25
connect = smtp.gmail.com:465