This patch adds a new feature to Stunnel, allowing a single instance of stunnel to listen on a single port and use the subject of the presented client certificate to consult an LDAP directory and retrieve hostname/portnumber to which the connection is forwarded. Stunnel.conf gets a new directive: Instead of `connect' with a hostname:portnumber, use CApath = /etc/stunnel/certs verify = 3 Cafile = /etc/stunnel/chain.pem cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key [service] accept = 4321 dispatch = ldap://localhost:389/o=example.com?host?sub?(&(objectclass=account)(userid=@)) A sample LDIF: dn: userid=John Doe,o=example.com objectClass: top objectClass: account host: 10.0.0.1:smtp uid: /CN=John Doe/Email=jd@xyzy99.org I've only tested this on Linux and FreeBSD. Best regards, -JP