13.6.1. Securing Communication
Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard POP and IMAP protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting usernames and passwords as they are passed over the network.
13.6.1.2. Securing Email Client Communications
Offering SSL encryption to IMAP and POP users on the email server is a simple matter.
First, create an SSL certificate. This can be done two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.
Caution
Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate granted by a CA.
To create a self-signed SSL certificate for IMAP, change to the /etc/pki/tls/certs/
directory and type the following commands as root:
rm -f cyrus-imapd.pem make cyrus-imapd.pem
Answer all of the questions to complete the process.
To create a self-signed SSL certificate for POP, change to the /etc/pki/tls/certs/
directory, and type the following commands as root:
rm -f ipop3d.pem make ipop3d.pem
Again, answer all of the questions to complete the process.
Important
Please be sure to remove the default imapd.pem
and ipop3d.pem
files before issuing each make
command.
Once finished, execute the /sbin/service xinetd restart
command to restart the xinetd
daemon which controls imapd
and ipop3d
.
Alternatively, the stunnel
command can be used as an SSL encryption wrapper around the standard, non-secure daemons, imapd
or pop3d
.
The stunnel
program uses external OpenSSL libraries included with Fedora to provide strong cryptography and protect the connections. It is best to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
To create a self-signed SSL certificate, change to the /etc/pki/tls/certs/
directory, and type the following command:
make stunnel.pem
Again, answer all of the questions to complete the process.
Once the certificate is generated, it is possible to use the stunnel
command to start the imapd
mail daemon using the following command:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd
Once this command is issued, it is possible to open an IMAP email client and connect to the email server using SSL encryption.
To start the pop3d
using the stunnel
command, type the following command:
/usr/sbin/stunnel -d 995 -l /usr/sbin/pop3d pop3d
For more information about how to use stunnel
, read the stunnel
man page or refer to the documents in the /usr/share/doc/stunnel-<version-number>
/ directory, where <version-number>
is the version number for stunnel
.