The files in this directory show how to run tmda-ofmipd from xinet.d, using stunnel to provide TLS encryption. NOTE: This method runs a separate instance of stunnel and tmda-ofmipd for each incoming TLS connection. This allows tmda-ofmipd to see the true IP address of the connecting client. With a typical daemonized stunnel, tmda-ofmipd will only see connections from localhost (or wherever stunnel is running). Note 2: One could probably still run stunnel in daemonized mode, and spawn a new tmda-ofmipd instance for each incoming connection, thus removing the need to use xinetd. I personally didn't do this, because I already run a bunch of servers under xinetd, so doing it this way was consistent. xinetd may provide you useful features too. The same general principles (i.e. tmda-ofmipd "one-session" mode) should allow running tmda-ofmipd under DJB's tcpserver. A previous version of this patch was developed for this situation, so it should work fine. The files are: xinetd.d-tmda-ofmipd-starttls Put this in /etc/xinet.d/tmda-ofmipd-starttls. This file configures xinetd to listen for connections, and run the stunnel wrapper script for each connection. You will need an entry such as the following in /etc/services: tmda-ofmipd-starttls 8026/tcp stunnel-wrapper xinetd runs this script for each connection. This script invokes stunnel using stunnel.conf stunnel.conf This configuration file tells stunnel what to do with the connection; specifically, setup an SMTP session, allow STARTTLS, and then invoke tmda-ofmipd in one-session mode NOTE: I personally store both the server certificate and private key in the same file (hence the extension .key-and-crt). If you do not do this, then you will need to replace the "cert =" line in stunnel.conf with something along these lines: cert = /etc/ssl/keys/severn.wwwdotorg.org.crt key = /etc/ssl/keys/severn.wwwdotorg.org.key tmda-ofmipd-wrapper Once stunnel has established the TLS-encrypted SMTP session, it runs this script to actually communicate with the SMTP client. This script invokes tmda-ofmipd in "one-session" mode, and appropriate authentication etc. options.