8.14. Securing POP/IMAP with stunnel and SSL
Problem
You want to read mail on a POP or IMAP mail server securely. Your mail client supports SSL, but the mail server does not.
Solution
Use stunnel, installed on the mail server machine. Suppose your client host is myclient, the mail server host is mailhost, and the mail server listens on standard port numbers (110 for POP, 143 for IMAP).
Generate a self-signed X.509 certificate foo.crt, with private key in foo.key. [Recipe 4.8]
Place the certificate and key into a single file:
$ cat foo.crt foo.key > foo.pem $ chmod 600 foo.pem
Choose an arbitrary, unused TCP port number on mailhost, such as 12345.
Run this stunnel process on mailhost for a POP server, supplying the certificate’s private-key passphrase when prompted:
mailhost$ /usr/sbin/stunnel -p foo.pem -d 12345 -r localhost:110 -P none -f 2003.03.27 15:07:08 LOG5[621:8192]: Using 'localhost.110' as tcpwrapper service name Enter PEM pass phrase:
********
2003.03.27 15:07:10 LOG5[621:8192]: stunnel 3.22 on i386-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001 2003.03.27 15:07:10 LOG5[621:8192]: FD_SETSIZE=1024, file ulimit=1024->500 clients allowedFor an IMAP server, use port 143 instead of 110.
Add foo.crt to the client’s list of trusted certificates, in whatever way is appropriate for the client software and OS. You may need to convert the certificate format from PEM to DER: [Recipe 4.10]
$ openssl x509 -in foo.crt -out foo.der -outform der
Configure your mail ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.