This article is fairly old, but the principles still apply:

SSL was hard to get working under RH9 with stunnel, but not because of the
applications.  The documentation is just poor for the process.  Lots of
people have stunnel 3.x docs out there, but as of 4.x the config structure
changed.  Also - I couldn't get it working with xinetd, so I use standalone
stunnel which handles 100+ employees daily pretty easily on a simple P2 box.

Start by grabbing stunnel, openssl, sendmail, pop3d.  I am running :
sendmail-8.12.8-5.90 (smtp)
imap-2001a-18 (pop3)
stunnel-4.04-3 (tunnels ssl)
openssl-0.9.7a-5 (ssl)

In Red Hat 9, just cd /usr/share/ssl/certs/ and make stunnel.pem.  This will generate an 
SSL stunnel keyfile for you.

Now cd /etc/stunnel and create smail.conf :

-----------start-----------

cert = /usr/share/ssl/certs/stunnel.pem
chroot = /var/run/stunnel/

pid = /stunnel.pid
setuid = nobody
setgid = nobody

# Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS

#debug = 7
#output = stunnel.log

client = no

[pop3s]
accept  = 995
connect = 110

[ssmtp]
accept  = 465
connect = 25
-----------stop-----------

If you have pop3s configured in /etc/xinetd.d/pop3s, please disable it and restart xinetd.
Now launch "/usr/sbin/stunnel /etc/stunnel/smail.conf".  Put this in /etc/rc.d/rc.local to
launch at boot time.  Or create a pop3s entry in /etc/init.d/.  Make sure you have the 
995 and 465 ports open on your firewall.

In Eudora 5.2, set advanced network options to 1000 seconds for both timeouts and 32000 for
the network buffer.  Select the cache option.  Now under checking and sending mail, change 
the security option to Required, Alternate Port.  Check messages and get an error that the
key is not trusted.  Go back to the checking mail option screen and click on SSL info.  
Here you can manually accept the SSL key you generated on the server.  No more errors or
plain text passwords floating around out there anymore! 

If you have a Verisign SSL key already (as I do) just cat the key and cert files together
into one stunnel.pem file and leave it in the SSL certs directory.  Alter the config to point 
to this file instead of the 'make stunnel.pem' you generated.  The advantage to using the
official SSL key is that your users don't have to add the key manually.  But they are a
bit pricey.