Connecting Non-SSL POP3 and SMTP clients to Microsoft Online

A common problem that we run across while doing migrations is legacy applications or devices which use SMTP to send mail or POP3 to retrieve mail.

In some cases these applications or devices don’t support the requirements for connecting to Microsoft Online.  Examples include not being able to connect on a non-standard port, or not having the ability to connect over TLS or SSL.  After doing a bit of research we think we’ve found a good way to get these applications to connect without SSL and on the standard POP3 or SMTP ports!

The secret is a free application called stunnel. Stunnel listens for non-SSL connections and converts them to SSL or TLS connections.  This allows you to configure your applications to connect without using SSL to the stunnel service, and then stunnel builds an encrypted tunnel to the Microsoft Online POP3 or SMTP services.

You can install stunnel on a server or workstation in your environment and configure your devices which don’t support TLS or POP3 over SSL to connect through that server to the Microsoft Online Services.  Continue reading for details on how to configure and use stunnel.

Getting stunnel up and running is pretty straight forward.

Step 1 – Install stunnel

You can download the stunnel Windows binaries from https://www.stunnel.org/config_windows.html

After downloading and installing the exe, you will likely want to configure it to run as a service.  To do that, go to Start->All Programs->stunnel->Service Install.

Step 2 – Configure the stunnel configuration file

You can download a configuration file that has been preconfigured for use with Microsoft Online here.

The configuration file looks like:

# Stunnel configuration file for Microsoft Online POP3 and SMTP
# Author: MessageOps
# GLOBAL OPTIONS
client = yes
output = stunnel-log.txt
debug=4
taskbar=yes

[POP3 Incoming] #Accept connections on port 110 and send to Microsoft Online on port 995 over SSL
accept = 127.0.0.1:110
connect = pop.mail.microsoftonline.com:995[SMTP Outgoing] #Accept connections on port 25 and send to Microsoft Online on port 587 over TLS
protocol = smtp
accept = 127.0.0.1:25
connect = Smtp.mail.microsoftonline.com:587

What this configuration file does is tells stunnel to listen or ports 110 and 25 and it then redirects connections on those ports to the appropriate SSL ports.

You might need to modify a few settings in the file:

• The Microsoft Online Server names are for customers in the North America Datacenter.  If you are in a different datacenter, update to the appropriate values.
• With this configuration, stunnel will only listen on the address 127.0.0.1.  This is only useful if the application that needs to connect to Microsoft Online resides on the system that stunnel is running on.  You can remove the 127.0.0.1 portion of the address to have the service listen on all IP Addresses.  That would look like:

accept = 25

After the file has been modified, replace the existing stunnel.conf in the Program Files\stunnel directory with the new one.

Finally start the stunnel service.

Step 3 – Verify the stunnel is listening for connections

To verify that stunnel is running, open a command prompt and run:

Netstat –an |more

What you should see is the service listening on port 25 and 110 as shown below.

(Note that in this case it’s listening on all IP addresses, not just 127.0.0.1)

Step 4 – Test your application

The final step is to test your application.  You’ll see that in this example we are configuring Outlook to connect via POP3.  So Outlook is configured to connect to POP3 on localhost on port 110 and port 25 is used to send mail.  When Outlook connects, stunnel establishes the connection with Microsoft Online over the encrypted channel.

The one thing to keep in mind with sending via SMTP is you still have to authenticate if you want to use the Microsoft Online servers.  It seems most applications and devices support SMTP authentication, the part they typically don’t support is TLS.  Using this you can use devices that don’t support TLS with Microsoft Online.

If you have any questions or comments, please contact us at [email protected] or get in touch via our contact form.