27.6. Mail User Agents
There are scores of mail programs available under Red Hat Enterprise Linux. There are full-featured, graphical email client programs, such as Ximian Evolution, as well as text-based email programs such as
mutt
.
The remainder of this section focuses on securing communication between the client and server.
27.6.1. Securing Communication
Popular MUAs included with Red Hat Enterprise Linux, such as Ximian Evolution and
mutt
offer SSL-encrypted email sessions.
Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard POP and IMAP protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting usernames and passwords as they are passed over the network.
27.6.1.1. Secure Email Clients
Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and server.
SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration window or via an option in the MUA's configuration file. Secure IMAP and POP have known port numbers (993 and 995, respectively) that the MUA uses to authenticate and download messages.
27.6.1.2. Securing Email Client Communications
Offering SSL encryption to IMAP and POP users on the email server is a simple matter.
First, create an SSL certificate. This can be done two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.
Warning
Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate granted by a CA.
To create a self-signed SSL certificate for IMAP, change to the
/etc/pki/tls/certs/
directory and type the following commands as root:
rm -f cyrus-imapd.pem make cyrus-imapd.pem
Answer all of the questions to complete the process.
To create a self-signed SSL certificate for POP, change to the
/etc/pki/tls/certs/
directory, and type the following commands as root:
rm -f ipop3d.pem make ipop3d.pem
Again, answer all of the questions to complete the process.
Important
Please be sure to remove the default
imapd.pem
and ipop3d.pem
files before issuing each make
command.
Disable insecure SSL protocols by adding the following line to the
/etc/imapd.conf
file:
tls_cipher_list: TLSv1+HIGH:!aNull:@STRENGTH
This is due to the POODLE SSL vulnerability (CVE-2014-3566). See POODLE: SSLv3 vulnerability (CVE-2014-3566) for details.
Once finished, execute the
/sbin/service cyrus-imapd start
command to start the Cyrus IMAP and POP daemons.
Alternatively, the
stunnel
command can be used as an SSL encryption wrapper around the standard, non-secure IMAP and POP protocols. In that case, however, you must disable IMAPS and POP3 in the Cyrus configuration file, /etc/cyrus.conf
. To do so, comment out the lines containing imaps
and pop3s
, and restart the cyrus-imapd
service.
The
stunnel
program uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and protect the connections. It is best to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
To create a self-signed SSL certificate, change to the
/etc/pki/tls/certs/
directory, and type the following command:
make stunnel.pem
Again, answer all of the questions to complete the process.
When you have a certificate, create a configuration file for stunnel. It is a text file in which every line specifies an option or the beginning of a service definition. You can also keep comments and empty lines in the file to improve its legibility, where comments start with a semicolon.
The stunnel RPM package contains the
/etc/stunnel/
directory, in which you can store the configuration file. Although stunnel does not require any special format of the file name or its extension, use /etc/stunnel/stunnel.conf
. The following content configures stunnel as a TLS wrapper for secure IMAP and POP:
cert = /etc/pki/tls/certs/stunnel.pem ; Allow only TLS, thus avoiding SSL options = NO_SSLv2 options = NO_SSLv3 chroot = /var/run/stunnel setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143
Finally, start stunnel:
stunnel /etc/stunnel/stunnel.conf
For more information about how to use
stunnel
, read the stunnel
man page or refer to the documents in the /usr/share/doc/stunnel-<version-number>
/ directory, where <version-number> is the version number for stunnel
.