|
|
KB Index
Securing A POP3 Server Using stunnelSummary:
IntroductionSecuring your Linux server should always include a substitution of standard protocols in order to make your machine more resistant to sniffing attacks. Sniffing attacks are the most difficult to prevent and usually are the most damaging attacks to a server. The essential problem with line sniffing is that servers on your network for which you are not responsible could potentially be used to compromise your security. Upstream servers (at the ISP level) are also susceptible to compromise and could be used to sniff your traffic. In the event that users are transmitting data over telnet or ftp your security is in jeopardy every time they connect, in the event of POP3 where connections occur much more frequently, the risk is even greater. To minimize the risk of these attacks, using encrypted protocols in place of the clear text ones is your best option. SSH (Secure Shell) and SSL (Secure Socket Layer) provide your a wide array of possible secure configurations for data transfer. This article will attempt to outline the steps I used to secure my Mandrake 8.0 server and implement secure POP3 (POP3s). Creating A CertificateSecuring POP3 is sort of an involved process but is no means impossible. In order to protect POP3 what you're going to need to do is use stunnel to wrap connections to port 995 (pop3s). Using this method incoming connections are re-routed from port 995, through stunnel (which uses SSL encryption libraries) to be encrypted/decrypted, on to port 110 and your regular pop3 server. This is a rather round about method, but I haven't found any easy way to do this. The first step to securing you POP3 is to check and make sure SSL is installed. I recommend using ~OpenSSL . urpmi openssl This will either report that the package is already installed or install it. It is important that next you install the openssl-devel package1.1 This package contains the static libraries needed by stunnel to encrypt your connections using SSL technology. If you don't install this package your stunnel installation won't work. You may first want to check if the package is installed using the same method as before. Install the openssl-devel package and you're set for the next step. Once ~OpenSSL and ~OpenSSL-devel are installed you need to install stunnel. Either get the latest RPM from Cooker or compile the source code archive from stunnel.org . make cert answer the questions and take note of where the 'stunnel.pem' file is written to (it should be your current directory). Make sure you write this directory down as we're going to need it for the next step. Now stunnel is all set up. Configuring xinetdThe only step that remains is to modify xinetd so that it will allow the pop3s connection to be passed by stunnel to ipop3d - your POP3 server. Go to '/etc/xinetd.d' and type: ls -l If you don't see a pop3s entry in the directory go ahead and create one using: touch pop3s Type the ls -l ~# default: off ~# description: The POP3S service allows remote users to access their mail ~# using an POP3 client with SSL support such as fetchmail. service pop3s { disable = no socket_type = stream wait = no user = root server = /usr/sbin/stunnel server_args = -p /usr/sbin/stunnel.pem -l /usr/sbin/ipop3d –– ipop3d log_on_success += USERID log_on_failure += USERID } The server_args Once you're done save the file. Now you need to restart xinetd: service xinetd restart You should be done at this point. Checking & Client ConfigurationThe easiest way I know to check if your connection works is to telnet to 'localhost 995' using telnet 127.0.0.1 995 If your connection is accepted and hangs you should be OK. Check your log files in '/var/log/daemons', especially '/var/log/daemons/errors' to make sure that there are no errors. If your connection is refused check and see if you have any firewalling rules (ipchains, iptables, bastille) running that might be killing your connection. Edit these so that they allow port 995 through. Once POP3s is set up Outlook clients can connect by altering their 'tools->accounts - selecting the appropriate account' then hitting the 'properties' button and the 'advanced' tab to make sure the 'use secure connection (SSL)' check-box is checked. If you are using 'fetchmail' to get your mail, just add the ssl Related Resources:man stunnel stunnel FAQ Revision / Modified: Sep. 21, 2001 Legal: This page is covered by the GNU Free Documentation License . Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft. |