Like any other service that flows over a network unencrypted,
important email information, such as usernames, passwords, and entire
messages, may be intercepted and viewed by users on the
network. Additionally, since the standard POP and IMAP protocols pass
authentication information unencrypted, it is possible for an attacker
to gain access to user accounts by collecting usernames and passwords
as they are passed over the network.
Most Linux MUAs designed to check email on remote servers support SSL
encryption. To use SSL when retrieving email, it must be
enabled on both the email client and server.
SSL is easy to enable on the client-side, often done with the click of
a button in the MUA's configuration window or via an option in the
MUA's configuration file. Secure IMAP and POP have known port numbers
(993 and 995, respectively) that the MUA uses to authenticate and
download messages.
Offering SSL encryption to IMAP and POP users on the email server is a
simple matter.
First, create an SSL certificate. This can be done two ways: by
applying to a Certificate Authority
(CA) for an SSL certificate or by creating a
self-signed certificate.
 | Caution |
|---|
| | Self-signed certificates should be used for testing purposes
only. Any server used in a production environment should use an SSL
certificate granted by a CA.
|
To create a self-signed SSL certificate for IMAP, change to the
/usr/share/ssl/certs/ directory and type the
following commands as root:
rm -f imapd.pem
make imapd.pem |
Answer all of the questions to complete the process.
To create a self-signed SSL certificate for POP, change to the
/usr/share/ssl/certs/ directory, and type the
following commands as root:
rm -f ipop3d.pem
make ipop3d.pem |
Again, answer all of the questions to complete the process.
 | Important |
|---|
| | Please be sure to remove the default imapd.pem and
ipop3d.pem files before issuing each make
command. |
Once finished, execute the /sbin/service xinetd
restart command to
restart the xinetd daemon which controls
imapd and ipop3d.
Alternatively, the stunnel command can be used as
an SSL encryption wrapper around the standard, non-secure daemons,
imapd or pop3d.
The stunnel program uses external OpenSSL
libraries included with Red Hat Enterprise Linux to provide strong cryptography and
protect the connections. It is best to apply to a CA to obtain an
SSL certificate, but it is also possible to create a self-signed
certificate.
To create a self-signed SSL certificate, change to the
/usr/share/ssl/certs/ directory, and type the
following command:
Again, answer all of the questions to complete the process.
Once the certificate is generated, it is possible to use the
stunnel command to start the
imapd mail daemon using the following command:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd |
Once this command is issued, it is possible to open an IMAP email
client and connect to the email server using SSL encryption.
To start the pop3d using the
stunnel command, type the following command:
/usr/sbin/stunnel -d 995 -l /usr/sbin/pop3d pop3d |
For more information about how to use stunnel,
read the stunnel man page or refer to the
documents in the
/usr/share/doc/stunnel-<version-number>/
directory, where <version-number>
is the version number for stunnel.
