MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


*DocIndex - Security

Securing A POP3 Server Using stunnel

* Introduction
* Creating A Certificate
* Configuring xinetd
* Checking & Client Configuration

Related Resources:

man stunnel
stunnel FAQ

Revision / Modified: Sep. 21, 2001
Author: Justin Keane (edited)


* Introduction

Securing your Linux server should always include a substitution of standard protocols in order to make your machine more resistant to sniffing attacks. Sniffing attacks are the most difficult to prevent and usually are the most damaging attacks to a server. The essential problem with line sniffing is that servers on your network for which you are not responsible could potentially be used to compromise your security. Upstream servers (at the ISP level) are also susceptible to compromise and could be used to sniff your traffic. In the event that users are transmitting data over telnet or ftp your security is in jeopardy every time they connect, in the event of POP3 where connections occur much more frequently, the risk is even greater.

To minimize the risk of these attacks, using encrypted protocols in place of the clear text ones is your best option. SSH (Secure Shell) and SSL (Secure Socket Layer) provide your a wide array of possible secure configurations for data transfer. This article will attempt to outline the steps I used to secure my Mandrake 8.0 server and implement secure POP3 (POP3s).

* section index * top

* Creating A Certificate

Securing POP3 is sort of an involved process but is no means impossible. In order to protect POP3 what you're going to need to do is use stunnel to wrap connections to port 995 (pop3s). Using this method incoming connections are re-routed from port 995, through stunnel (which uses SSL encryption libraries) to be encrypted/decrypted, on to port 110 and your regular pop3 server. This is a rather round about method, but I haven't found any easy way to do this.

The first step to securing you POP3 is to check and make sure SSL is installed. I recommend using OpenSSL.

urpmi openssl

This will either report that the package is already installed or install it.

It is important that next you install the openssl-devel package! This package contains the static libraries needed by stunnel to encrypt your connections using SSL technology. If you don't install this package your stunnel installation won't work. You may first want to check if the package is installed using the same method as before. Install the openssl-devel package and you're set for the next step.

Once OpenSSL and OpenSSL-devel are installed you need to install stunnel. Either get the latest RPM from Cooker or compile the source code archive
At this point (if you don't encounter any errors) your stunnel will be installed. The next step is to make a certificate (which creates keys for the encryptions). Simply type:

make cert

answer the questions and take note of where the 'stunnel.pem' file is written to (it should be your current directory). Make sure you write this directory down as we're going to need it for the next step. Now stunnel is all set up.

* section index * top

* Configuring xinetd

The only step that remains is to modify xinetd so that it will allow the pop3s connection to be passed by stunnel to ipop3d - your POP3 server. Go to '/etc/xinetd.d' and type:

ls -l

If you don't see a pop3s entry in the directory go ahead and create one using:

touch pop3s

Type the ls -l again to make sure the file was created. Once created (or if it is already there) edit the file using your favorite editor:

# default: off
# description: The POP3S service allows remote users to access their mail \
# using an POP3 client with SSL support such as fetchmail.
service pop3s
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = -p /usr/sbin/stunnel.pem -l /usr/sbin/ipop3d -- ipop3d
log_on_success += USERID
log_on_failure += USERID

The server_args line is fairly important and may be different on your machine. This line specifies the flags to use when launching stunnel from '/usr/sbin/stunnel'. The '-p' flag indicates the location of the 'stunnel.pem' file (remember you wrote it down just a bit ago). Go ahead and change this section of the line so that it reflects the location of your 'stunnel.pem' file (for instance, if your '.pem' is in '/home/joe' change the line to read '-p /home/joe/stunnel.pem'). Leave the '-l' flag and everything that follows just as it appears. Make sure that your 'disable =' is set to 'no' so that the service will work. Also make sure there aren't any line breaks in your file.
Once you're done save the file.

Now you need to restart xinetd:

service xinetd restart

You should be done at this point.

* section index * top

* Checking & Client Configuration

The easiest way I know to check if your connection works is to telnet to 'localhost 995' using

telnet 995

If your connection is accepted and hangs you should be OK. Check your log files in '/var/log/daemons', especially '/var/log/daemons/errors' to make sure that there are no errors. If your connection is refused check and see if you have any firewalling rules (ipchains, iptables, bastille) running that might be killing your connection. Edit these so that they allow port 995 through.

Once POP3s is set up Outlook clients can connect by altering their 'tools->accounts - selecting the appropriate account' then hitting the 'properties' button and the 'advanced' tab to make sure the 'use secure connection (SSL)' check-box is checked. If you are using 'fetchmail' to get your mail, just add the ssl option to the account rule in your '~/.fetchmailrc'. Other mail agents offer similar options.

* section index * top

Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.