Ce contenu n'est pas disponible dans la langue sélectionnée.
19.5. Mail User Agents
Red Hat Enterprise Linux offers a variety of email programs, both, graphical email client programs, such as Evolution, and text-based email programs such as
mutt.
The remainder of this section focuses on securing communication between a client and a server.
19.5.1. Securing Communication
Popular MUAs included with Red Hat Enterprise Linux, such as Evolution and Mutt offer SSL-encrypted email sessions.
Like any other service that flows over a network unencrypted, important email information, such as user names, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard
POP and IMAP protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting user names and passwords as they are passed over the network.
19.5.1.1. Secure Email Clients
Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and the server.
SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration window or via an option in the MUA's configuration file. Secure
IMAP and POP have known port numbers (993 and 995, respectively) that the MUA uses to authenticate and download messages.
19.5.1.2. Securing Email Client Communications
Offering SSL encryption to
IMAP and POP users on the email server is a simple matter.
First, create an SSL certificate. This can be done in two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.
Warning
Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate granted by a CA.
To create a self-signed SSL certificate for
IMAP or POP, change to the /etc/pki/dovecot/ directory, edit the certificate parameters in the /etc/pki/dovecot/dovecot-openssl.cnf configuration file as you prefer, and type the following commands, as root:
dovecot]#rm -f certs/dovecot.pem private/dovecot.pemdovecot]#/usr/libexec/dovecot/mkcert.sh
Once finished, make sure you have the following configurations in your
/etc/dovecot/conf.d/10-ssl.conf file:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
Execute the
service dovecot restart command to restart the dovecot daemon.
Alternatively, the
stunnel command can be used as an encryption wrapper around the standard, non-secure connections to IMAP or POP services.
The
stunnel utility uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and to protect the network connections. It is recommended to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
See Using stunnel in the Red Hat Enterprise Linux 6 Security Guide for instructions on how to install
stunnel and create its basic configuration. To configure stunnel as a wrapper for IMAPS and POP3S, add the following lines to the /etc/stunnel/stunnel.conf configuration file:
[pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143
The Security Guide also explains how to start and stop
stunnel. Once you start it, it is possible to use an IMAP or a POP email client and connect to the email server using SSL encryption.
