8.9. Running a POP/IMAP Mail Server with SSL
Problem
You want to allow secure, remote mail access that protects passwords and prevents session eavesdropping or tampering.
Solution
Use imapd with SSL. Out of the box, imapd can negotiate SSL protection on mail sessions via the STARTTLS (IMAP) and STLS (POP) mechanisms. (See SSL for Securing Mail.) Simply set your client to require SSL on the same port as the normal protocol (143 for IMAP, 110 for POP), and verify that it works. If so, you’re done.
Otherwise, if your client insists on using alternate ports, it is probably using the older convention of connecting to those ports with SSL first. In that case, use the following recipe:
Enable the IMAP daemon within xinetd:
/etc/xinetd.d/imaps: service imaps { ... disabled = no }
or within inetd (add or uncomment the line below):
/etc/inetd.conf: imaps stream tcp nowait root /usr/sbin/tcpd imapd
whichever your system supports.
Signal xinetd or inetd, whichever the case may be, to re-read its configuration and therefore begin accepting imapd connections. [Recipe 3.3][Recipe 3.4]
Test the SSL connection locally on the mail server, port 993: [Recipe 8.10]
$ openssl s_client -quiet -connect localhost:993
(Type 0 LOGOUT to end the test.)
Alternatively, use POP with SSL, following an analogous procedure:
Enable the POP daemon within xinetd :
/etc/xinetd.d/pop3s: service pop3s { ... disabled = no }
or inetd (add or uncomment the line below):
/etc/inetd.conf: pop3s stream tcp nowait root /usr/sbin/tcpd ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.