DISCLAIMER: If you damage your system, it's not my fault. This example is for: stunnel running chrooted, as a daemon listening on 993, remote is localhost:143 (local imap) These instructions are what worked for me on a Redhat 6.0 system. Adjust for your system as necessary. 1) Build and install OpenSSL per the instructions located here: http://www.octaldream.com/scottm/talks/ssl/opensslca.html 2) Download and build stunnel. You can download stunnel from www.stunnel.org ./configure Then edit the Makefile and change piddir so that: piddir=/var/ make make install 3) Create the chroot area directory structure mkdir /usr/local/stunnel cd /usr/local/stunnel mkdir cert dev etc lib sbin var 4) Populate the lib dir with what's needed cd /usr/local/stunnel/lib cp /lib/ld-2.1.1.so . ln -s ld-2.1.1.so ld-linux.so.2 cp /lib/libc-2.1.1.so . ln -s libc-2.1.1.so libc.so.6 cp /lib/libnsl-2.1.1.so . ln -s libnsl-2.1.1.so libnsl.so.1 cp /lib/libnss_files-2.1.1.so . ln -s libnss_files-2.1.1.so libnss_files.so.2 cp /lib/libnss_nis-2.1.1.so . ln -s libnss_nis-2.1.1.so libnss_nis.so.2 cp /lib/libpthread-0.8.so . ln -s libpthread-0.8.so libpthread.so.0 cp /lib/libutil-2.1.1.so . ln -s libutil-2.1.1.so libutil.so.1 strip * 5) Create a urandom device file in the chroot area. cd /usr/local/stunnel/dev mknod -m 644 urandom c 1 9 . 6) Create an 'stunnel' user and 'stunnel' group in the /etc/passwd and /etc/group, and setup chrooted versions of those files. Also chgrp/chmod the chrooted var dir, so the stunnel user can write its pid file. Make sure the UID/GID you use are unique, these are the lines I used: echo "stunnel:x:27:27:stunnel user:/usr/local/stunnel" >> /etc/passwd grep stunnel /etc/passwd > /usr/local/stunnel/etc/passwd echo "stunnel::27:stunnel" >> /etc/group grep stunnel /etc/group > /usr/local/stunnel/etc/group chgrp stunnel /usr/local/stunnel/var chmod g+w /usr/local/stunnel/var 7) Add a few more things to the etc dir. echo "127.0.0.1 localhost localhost.localdomain" > /usr/local/stunnel/etc/hosts This example is for stunnel listening on 993, remote is localhost:143 (the local imap server). Change the 'ALL' in hosts.allow as needed for your security needs. echo "localhost.imap: ALL" > /usr/local/stunnel/etc/hosts.allow echo "ALL: ALL" > /usr/local/stunnel/etc/hosts.deny echo "imap2 143/tcp imap" > /usr/local/stunnel/etc/services 8) Copy the stunnel binary to the sbin directory cd /usr/local/stunnel/sbin cp `which stunnel` . strip stunnel chmod 700 stunnel 9) Setup the certificate in the chroot area. Remove the passphrase from your certificate, per the instructions here: http://www.octaldream.com/scottm/talks/ssl/stunnel.html Then copy it over: cp /usr/local/stunnel/cert/mycert.pem chmod 600 /usr/local/stunnel/cert/mycert.pem 10) If you want logging, either pass a "-a ..." option to syslog via its init script, or use holelogd. This is left as an exercise for the reader :) 11) Prepare an init script. One is provided below. #!/bin/sh # # stunnel Start/Stop the stunnel daemons # # description: stunnel is a script that runs stunnel daemons # version 1.00 # # chkconfig: 345 40 60 # processname: stunnel # Source function library. . /etc/rc.d/init.d/functions # See how we were called. case "$1" in start) echo -n "Starting stunnel services: " daemon chroot /usr/local/stunnel /sbin/stunnel -s stunnel -g stunnel \ -p /cert/mycert.pem -d 993 -r localhost:imap echo ;; stop) echo -n "Stopping stunnel services: " killproc stunnel echo ;; status) status stunnel ;; restart) /etc/rc.d/init.d/stunnel stop /etc/rc.d/init.d/stunnel start ;; *) echo "Usage: stunnel {start|stop|status|restart}" exit 1 esac exit 0