19.5. Mail User Agents
Red Hat Enterprise Linux offers a variety of email programs, both, graphical email client programs, such as Evolution, and text-based email programs such as
mutt
.
The remainder of this section focuses on securing communication between a client and a server.
19.5.1. Securing Communication
Popular MUAs included with Red Hat Enterprise Linux, such as Evolution and Mutt offer SSL-encrypted email sessions.
Like any other service that flows over a network unencrypted, important email information, such as user names, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard
POP
and IMAP
protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting user names and passwords as they are passed over the network.
19.5.1.1. Secure Email Clients
Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and the server.
SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration window or via an option in the MUA's configuration file. Secure
IMAP
and POP
have known port numbers (993
and 995
, respectively) that the MUA uses to authenticate and download messages.
19.5.1.2. Securing Email Client Communications
Offering SSL encryption to
IMAP
and POP
users on the email server is a simple matter.
First, create an SSL certificate. This can be done in two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.
Warning
Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate granted by a CA.
To create a self-signed SSL certificate for
IMAP
or POP
, change to the /etc/pki/dovecot/
directory, edit the certificate parameters in the /etc/pki/dovecot/dovecot-openssl.cnf
configuration file as you prefer, and type the following commands, as root
:
dovecot]#rm -f certs/dovecot.pem private/dovecot.pem
dovecot]#/usr/libexec/dovecot/mkcert.sh
Once finished, make sure you have the following configurations in your
/etc/dovecot/conf.d/10-ssl.conf
file:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
Execute the
service dovecot restart
command to restart the dovecot
daemon.
Alternatively, the
stunnel
command can be used as an encryption wrapper around the standard, non-secure connections to IMAP
or POP
services.
The
stunnel
utility uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and to protect the network connections. It is recommended to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
See Using stunnel in the Red Hat Enterprise Linux 6 Security Guide for instructions on how to install
stunnel
and create its basic configuration. To configure stunnel
as a wrapper for IMAPS
and POP3S
, add the following lines to the /etc/stunnel/stunnel.conf
configuration file:
[pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143
The Security Guide also explains how to start and stop
stunnel
. Once you start it, it is possible to use an IMAP
or a POP
email client and connect to the email server using SSL encryption.