DISCLAIMER:  If you damage your system, it's not my fault.
 

This example is for:

   stunnel running chrooted, as a daemon
 
   listening on 993, remote is localhost:143 (local imap)
 

These instructions are what worked for me on a Redhat 6.0
system.  Adjust for your system as necessary.
 
 

1) Build and install OpenSSL per the instructions located
   here:

   http://www.octaldream.com/scottm/talks/ssl/opensslca.html
 
 

2) Download and build stunnel.  You can download stunnel
   from www.stunnel.org

   ./configure
 
   Then edit the Makefile and change piddir so that:

      piddir=/var/

   make
   make install
 
 

3) Create the chroot area directory structure
 

   mkdir /usr/local/stunnel

   cd /usr/local/stunnel

   mkdir cert dev etc lib sbin var
 

 
4) Populate the lib dir with what's needed

   cd /usr/local/stunnel/lib

   cp /lib/ld-2.1.1.so .
   ln -s ld-2.1.1.so ld-linux.so.2

   cp /lib/libc-2.1.1.so .
   ln -s libc-2.1.1.so libc.so.6

   cp /lib/libnsl-2.1.1.so .
   ln -s libnsl-2.1.1.so libnsl.so.1

   cp /lib/libnss_files-2.1.1.so .
   ln -s libnss_files-2.1.1.so libnss_files.so.2

   cp /lib/libnss_nis-2.1.1.so .
   ln -s libnss_nis-2.1.1.so libnss_nis.so.2

   cp /lib/libpthread-0.8.so .
   ln -s libpthread-0.8.so libpthread.so.0

   cp /lib/libutil-2.1.1.so .
   ln -s libutil-2.1.1.so libutil.so.1
 
   strip *
 
 

5) Create a urandom device file in the chroot area.

   cd /usr/local/stunnel/dev

   mknod -m 644 urandom c 1 9
 

.
6) Create an 'stunnel' user and 'stunnel' group in the /etc/passwd
   and /etc/group, and setup chrooted versions of those files.  Also
   chgrp/chmod the chrooted var dir, so the stunnel user can write
   its pid file.
 
   Make sure the UID/GID you use are unique, these are the lines
   I used:

   echo "stunnel:x:27:27:stunnel user:/usr/local/stunnel" >> /etc/passwd
   grep stunnel /etc/passwd > /usr/local/stunnel/etc/passwd
 
   echo "stunnel::27:stunnel" >> /etc/group
   grep stunnel /etc/group > /usr/local/stunnel/etc/group

   chgrp stunnel /usr/local/stunnel/var
   chmod g+w /usr/local/stunnel/var
 

 
7) Add a few more things to the etc dir.

   echo "127.0.0.1    localhost    localhost.localdomain" > /usr/local/stunnel/etc/hosts

   This example is for stunnel listening on 993, remote is localhost:143
   (the local imap server).  Change the 'ALL' in hosts.allow as needed for
   your security needs.

   echo "localhost.imap: ALL" > /usr/local/stunnel/etc/hosts.allow
   echo "ALL: ALL" > /usr/local/stunnel/etc/hosts.deny
 
   echo "imap2   143/tcp      imap" > /usr/local/stunnel/etc/services
 
 

8) Copy the stunnel binary to the sbin directory
 
   cd /usr/local/stunnel/sbin
   cp `which stunnel` .
   strip stunnel
   chmod 700 stunnel
 
 

9) Setup the certificate in the chroot area.
 
   Remove the passphrase from your certificate, per the instructions
   here:

   http://www.octaldream.com/scottm/talks/ssl/stunnel.html

   Then copy it over:

   cp <path to decrypted cert> /usr/local/stunnel/cert/mycert.pem
   chmod 600 /usr/local/stunnel/cert/mycert.pem
 
 

10) If you want logging, either pass a "-a ..." option to syslog via
    its init script, or use holelogd.  This is left as an exercise
    for the reader :)
 
 

11) Prepare an init script.  One is provided below.
 

#!/bin/sh
#
# stunnel      Start/Stop the stunnel daemons
#
# description: stunnel is a script that runs stunnel daemons
#              version 1.00
#
# chkconfig: 345 40 60
# processname: stunnel
 
# Source function library.
. /etc/rc.d/init.d/functions
 
# See how we were called.
case "$1" in
  start)
        echo -n "Starting stunnel services: "
        daemon chroot /usr/local/stunnel /sbin/stunnel -s stunnel -g stunnel \
               -p /cert/mycert.pem  -d 993 -r localhost:imap
        echo
        ;;
  stop)
        echo -n "Stopping stunnel services: "
        killproc stunnel
        echo
        ;;
  status)
        status stunnel
        ;;
  restart)
        /etc/rc.d/init.d/stunnel stop
        /etc/rc.d/init.d/stunnel start
        ;;
  *)
        echo "Usage: stunnel {start|stop|status|restart}"
        exit 1
esac
 
exit 0