Securing your Linux server should always include
a substitution of standard protocols in order to make your machine more resistant
to sniffing attacks. Sniffing attacks are the most difficult to prevent and
usually are the most damaging attacks to a server. The essential problem
with line sniffing is that servers on your network for which you are not
responsible could potentially be used to compromise your security. Upstream
servers (at the ISP level) are also susceptible to compromise and could be
used to sniff your traffic. In the event that users are transmitting data
over telnet or ftp your security is in jeopardy every time they connect,
in the event of POP3 where connections occur much more frequently, the risk
is even greater.
To minimize the risk of these attacks, using encrypted
protocols in place of the clear text ones is your best option. SSH (Secure
Shell) and SSL (Secure Socket Layer) provide your a wide array of possible
secure configurations for data transfer. This article will attempt to outline
the steps I used to secure my Mandrake 8.0 server and implement secure POP3
(POP3s).
section index top
Securing POP3 is sort of an involved process but is
no means impossible. In order to protect POP3 what you're going to need to
do is use stunnel to wrap connections
to port 995 (pop3s). Using this method incoming connections are re-routed
from port 995, through stunnel (which uses SSL encryption libraries) to be
encrypted/decrypted, on to port 110 and your regular pop3 server. This is
a rather round about method, but I haven't found any easy way to do this.
The first step to securing you POP3 is to check and
make sure SSL is installed. I recommend using OpenSSL.
Use:
urpmi openssl
This will either report that the package is already
installed or install it.
It is important that next you install the openssl-devel
package! This package contains the static libraries needed by stunnel to
encrypt your connections using SSL technology. If you don't install this
package your stunnel installation won't work. You may first want to check
if the package is installed using the same method as before. Install the
openssl-devel package and you're set for the next step.
Once OpenSSL and OpenSSL-devel are installed you need
to install stunnel. Either get the latest RPM from Cooker or compile the
source code archive fromstunnel.org.
At this point (if you don't encounter any errors) your stunnel will be installed.
The next step is to make a certificate (which creates keys for the encryptions).
Simply type:
make cert
answer the questions and take note of where the 'stunnel.pem'
file is written to (it should be your current directory). Make sure you write
this directory down as we're going to need it for the next step. Now stunnel
is all set up.
section index top
The only step that remains is to modify xinetd so that it will allow the pop3s
connection to be passed by stunnel to ipop3d - your POP3 server. Go to '/etc/xinetd.d'
and type:
ls -l
If you don't see a pop3s entry in the directory go ahead
and create one using:
touch pop3s
Type the ls -l again to make sure the file
was created. Once created (or if it is already there) edit the file using
your favorite editor:
# default: off # description: The POP3S service allows remote users to access their mail \ # using an POP3 client with SSL support such as fetchmail. service pop3s { disable = no socket_type = stream wait = no user = root server = /usr/sbin/stunnel server_args = -p /usr/sbin/stunnel.pem -l /usr/sbin/ipop3d -- ipop3d log_on_success += USERID log_on_failure += USERID }
The server_args line is fairly important
and may be different on your machine. This line specifies the flags to use
when launching stunnel from '/usr/sbin/stunnel'. The '-p' flag indicates
the location of the 'stunnel.pem' file (remember you wrote it down just a
bit ago). Go ahead and change this section of the line so that it reflects
the location of your 'stunnel.pem' file (for instance, if your '.pem' is
in '/home/joe' change the line to read '-p /home/joe/stunnel.pem'). Leave
the '-l' flag and everything that follows just as it appears. Make sure that
your 'disable =' is set to 'no' so that the service will work. Also make
sure there aren't any line breaks in your file.
Once you're done save the file.
Now you need to restart xinetd:
service xinetd restart
You should be done at this point.
section index top
The easiest way I know to check if your connection works
is to telnet to 'localhost 995' using
telnet 127.0.0.1 995
If your connection is accepted and hangs you should
be OK. Check your log files in '/var/log/daemons', especially '/var/log/daemons/errors'
to make sure that there are no errors. If your connection is refused check
and see if you have any firewalling rules (ipchains, iptables, bastille)
running that might be killing your connection. Edit these so that they allow
port 995 through.
Once POP3s is set up Outlook clients can connect by
altering their 'tools->accounts - selecting the appropriate account' then
hitting the 'properties' button and the 'advanced' tab to make sure the 'use
secure connection (SSL)' check-box is checked. If you are using 'fetchmail'
to get your mail, just add the ssl option to the account rule
in your '~/.fetchmailrc'. Other mail agents offer similar options.
section index top
|