Pages

pop3s server using stunnel

it’s not a secret that POP3 (Post Office Protocol) is unsecure protocol. All data, including passwords (!) between POP3 server and PC is going in plain text. POP3, like some other protocols (telnet, ftp, etc) absolutely not resistant to sniffing attacks. Even if you sure that your network or PC is secure you can’t trust your ISP network, that potentially can be compromised. Below you can find how-to secure your POP3 server in few easy steps. This how-to is actual for people who can’t or don’t want to change their POP3 server software, but want be secure.

First, download and install the latest stunnel version. I have use freebsd port of stunnel, but you can also get it on stunnel.org. Next you need generate SSL certificate:

cd /etc/ssl
openssl req -new -x509 -days 9999 \
-nodes -config openssl.cnf -out mail.pem \
-keyout mail.pem




Country Name (2 letter code) [AU]:ISO_Country_Code_Here
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Org_Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your_pop3_server_fqdn (important)
Email Address []:Some_Email
I prefer to use official SSL certificates, because with self-signed certificate e-mail clients always show warning message (that little annoying)

Now we need create config for stunnel. Here is my working config:

cert = /etc/ssl/mail.pem
sslVersion = all
exec = /usr/local/libexec/popa3d
output = /var/log/stunnel.log
ciphers = HIGH
debug = 6


If you have a lot of POP3 accounts it’s better to set sslVersion value to “all” because some old POP3 clients may not understand SSLv3/TLSv1
As last step you need shutdown your pop3 client and start new, secure version. In my case i need to remove pop3 from inetd.conf and add new, pop3s service:

# grep pop3s /etc/inetd.conf
pop3s stream tcp nowait root /usr/local/sbin/stunnel stunnel /etc/mail/stunnel.conf


After that you just need to restart inetd.

From client side in mail client settings must be choosen SSL or TLS connection and port 995 instead of 110. Secure Authentication must be unset, because we don’t really have POP3S server, there is only secure tunnel between PC and POP3 server.

Stay secure!

No comments:

Post a Comment