DISCLAIMER:  If you damage your system, it's not my fault.

This example is for:

   stunnel running chrooted, as a daemon
   listening on 993, remote is localhost:143 (local imap)

These instructions are what worked for me on a Redhat 6.0
system.  Adjust for your system as necessary.

1) Build and install OpenSSL per the instructions located


2) Download and build stunnel.  You can download stunnel
   from www.stunnel.org

   Then edit the Makefile and change piddir so that:


   make install

3) Create the chroot area directory structure

   mkdir /usr/local/stunnel

   cd /usr/local/stunnel

   mkdir cert dev etc lib sbin var

4) Populate the lib dir with what's needed

   cd /usr/local/stunnel/lib

   cp /lib/ld-2.1.1.so .
   ln -s ld-2.1.1.so ld-linux.so.2

   cp /lib/libc-2.1.1.so .
   ln -s libc-2.1.1.so libc.so.6

   cp /lib/libnsl-2.1.1.so .
   ln -s libnsl-2.1.1.so libnsl.so.1

   cp /lib/libnss_files-2.1.1.so .
   ln -s libnss_files-2.1.1.so libnss_files.so.2

   cp /lib/libnss_nis-2.1.1.so .
   ln -s libnss_nis-2.1.1.so libnss_nis.so.2

   cp /lib/libpthread-0.8.so .
   ln -s libpthread-0.8.so libpthread.so.0

   cp /lib/libutil-2.1.1.so .
   ln -s libutil-2.1.1.so libutil.so.1
   strip *

5) Create a urandom device file in the chroot area.

   cd /usr/local/stunnel/dev

   mknod -m 644 urandom c 1 9

6) Create an 'stunnel' user and 'stunnel' group in the /etc/passwd
   and /etc/group, and setup chrooted versions of those files.  Also
   chgrp/chmod the chrooted var dir, so the stunnel user can write
   its pid file.
   Make sure the UID/GID you use are unique, these are the lines
   I used:

   echo "stunnel:x:27:27:stunnel user:/usr/local/stunnel" >> /etc/passwd
   grep stunnel /etc/passwd > /usr/local/stunnel/etc/passwd
   echo "stunnel::27:stunnel" >> /etc/group
   grep stunnel /etc/group > /usr/local/stunnel/etc/group

   chgrp stunnel /usr/local/stunnel/var
   chmod g+w /usr/local/stunnel/var

7) Add a few more things to the etc dir.

   echo "    localhost    localhost.localdomain" > /usr/local/stunnel/etc/hosts

   This example is for stunnel listening on 993, remote is localhost:143
   (the local imap server).  Change the 'ALL' in hosts.allow as needed for
   your security needs.

   echo "localhost.imap: ALL" > /usr/local/stunnel/etc/hosts.allow
   echo "ALL: ALL" > /usr/local/stunnel/etc/hosts.deny
   echo "imap2   143/tcp      imap" > /usr/local/stunnel/etc/services

8) Copy the stunnel binary to the sbin directory
   cd /usr/local/stunnel/sbin
   cp `which stunnel` .
   strip stunnel
   chmod 700 stunnel

9) Setup the certificate in the chroot area.
   Remove the passphrase from your certificate, per the instructions


   Then copy it over:

   cp <path to decrypted cert> /usr/local/stunnel/cert/mycert.pem
   chmod 600 /usr/local/stunnel/cert/mycert.pem

10) If you want logging, either pass a "-a ..." option to syslog via
    its init script, or use holelogd.  This is left as an exercise
    for the reader :)

11) Prepare an init script.  One is provided below.

# stunnel      Start/Stop the stunnel daemons
# description: stunnel is a script that runs stunnel daemons
#              version 1.00
# chkconfig: 345 40 60
# processname: stunnel
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
        echo -n "Starting stunnel services: "
        daemon chroot /usr/local/stunnel /sbin/stunnel -s stunnel -g stunnel \
               -p /cert/mycert.pem  -d 993 -r localhost:imap
        echo -n "Stopping stunnel services: "
        killproc stunnel
        status stunnel
        /etc/rc.d/init.d/stunnel stop
        /etc/rc.d/init.d/stunnel start
        echo "Usage: stunnel {start|stop|status|restart}"
        exit 1
exit 0