N Official Red Hat Linux Administrator's Guide / Security

Computers & Technology
Education & Reference
Business & Investing
Science & Math

Official Red Hat Linux Administrator's Guide
Authors: N
Published year: 2002
Pages: 129-130/278

<< Previous page
Table of contents
Next page >>

Security

Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed , all without the knowledge of the email server or client. When using standard POP and IMAP protocols, all authentication information is sent “in the clear,” meaning that someone on a network between the client and the remote server can easily view it.

Secure Email Clients

Thankfully, most Linux MUAs designed to check email on remote servers support SSL to encrypt messages as they are sent back and forth over the network. In order to use SSL when retrieving email, it must be enabled on the email client and server. SSL is easy to enable on the client side, often being done with the click of a button in the MUA’s configuration area. Secure IMAP and POP have known port numbers (993 and 995, respectively) that the MUA will use to authenticate and download messages. Popular MUAs included with Red Hat Linux, such as Mozilla Mail, mutt, and pine, offer SSL-encrypted email sessions.

Secure Email Servers

Offering SSL encryption to IMAP and POP users on the email server is almost as easy. Red Hat Linux also includes the stunnel package, which is an SSL encryption wrapper that wraps around standard, nonsecure network traffic for certain services and prevents interceptors from being able to “sniff” the communication between client and server. The stunnel program uses external SSL libraries, such as the OpenSSL libraries included with Red Hat Linux, to provide strong cryptography and protect your connections. You can apply to a Certificate Authority (CA) for an SSL certificate, or you can create a self-signed certificate to provide the benefit of the SSL-encrypted communication.

To create a self-signed SSL certificate, change to the /usr/share/ssl/certs/ directory, type the make stunnel.pem command, and answer the questions presented to you. Then, use stunnel to start the mail daemon you wish to use. For example, the following command could be used to start the IMAP server included with Red Hat Linux:

/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd

You should now be able to open an IMAP email client and connect to your email server using SSL encryption. Of course, you will probably want to go a step further and configure your stunnel-wrapped IMAP server to automatically start up at the correct runlevels. For more information about how to use stunnel, read the stunnel man page or refer to the documents in the /usr/share/doc/stunnel- version-number directory.

Alternatively, you can use the imap package bundled with Red Hat Linux, which can provide SSL encryption on its own without stunnel. For secure IMAP connections, create the SSL certificate by changing to the /usr/share/ssl/certs/ directory and running the make imapd.pem command. Then, set the imapd service to start at the proper runlevels. You can also use the ipop3 package bundled with Red Hat Linux to provide SSL encryption on its own without stunnel.

Additional Resources

Many users initially find email programs difficult to configure, primarily because of the large number of options available. Following is a list of additional documentation to help you properly configure your mail applications.

Installed Documentation

Information about how to configure Sendmail is included with the sendmail and sendmail-cf packages.
/usr/share/doc/sendmail/README.cf — Contains information on m4, file locations for Sendmail, supported mailers, how to access enhanced features, and more.
/usr/share/doc/sendmail/README — Contains information on the Sendmail directory structure, IDENT protocol support, details on directory permissions, and the common problems these permissions can cause if misconfigured. In addition, the sendmail and aliases man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail /etc/mail/aliases file, respectively.
/usr/share/doc/fetchmail- version-number — Contains a full list of Fetchmail features in the FEATURES file and an introductory FAQ document.
/usr/share/doc/procmail- version-number — Contains a README file that provides an overview of Procmail, a FEATURES file that explores every program feature, and a FAQ file with answers to many common configuration questions.

When learning how Procmail works and creating new recipes, the following Procmail man pages are invaluable:

procmail — Provides an overview of how Procmail works and the steps involved in filtering email.
procmailrc — Explains the rc file format used to construct recipes.
procmailex — Gives a number of useful, real-world examples of Procmail recipes.
procmailsc — Explains the weighted scoring technique used by Procmail to see if a particular recipe matches a certain message.

Useful Websites

http://www.redhat.com/mirrors/LDP/HOWTO/Mail-Administrator-HOWTO.html — Provides an overview of how email works and examines possible email solutions and configurations on the client and server sides.
http://www.redhat.com/mirrors/LDP/HOWTO/Mail- User -HOWTO — Looks at email from the user’s perspective, investigates various popular email client applications, and provides an introduction to topics such as aliases, forwarding, auto-replying, mailing lists, mail filters, and spam.
http://www.redhat.com/mirrors/LDP/HOWTO/mini/Secure-POP+SSH.html — Demonstrates a way to retrieve POP email using SSH with port forwarding, so that your email passwords and messages are transferred securely.
http://www.sendmail.net — Contains news, interviews, and articles concerning Sendmail, including an expanded view of the many options available.
http://www.sendmail.org — Offers a thorough technical breakdown of Sendmail features and configuration examples.
http:// tuxedo .org/~esr/fetchmail — The home page for Fetchmail, featuring an online manual and a thorough FAQ.
http://www.procmail.org — The home page for Procmail, with links to assorted mailing lists dedicated to Procmail as well as various FAQ documents.
http://www.ling.helsinki.fi/users/reriksso/procmail/mini-faq.html — An excellent Procmail FAQ, with troubleshooting tips and details about file locking and the use of wildcard characters .
http://www.uwasa.fi/~ts/ info /proctips.html — Provides dozens of tips that make using Procmail in various situations much easier, including how to test .procmailrc files and use Procmail scoring to decide if a particular action should be taken.

Related Books

Sendmail by Bryan Costales with Eric Allman et al (O’Reilly & Associates) — A good Sendmail reference written with the assistance of the original creator of Delivermail and Sendmail.
Removing the Spam: E-mail Processing and Filtering by Geoff Mulligan (Addison-Wesley) — Looks at various methods used by email administrators that use established tools, such as Sendmail and Procmail, to manage spam problems.
Internet E-mail Protocols: A Developer’s Guide by Kevin Johnson (Addison-Wesley) — Provides a very thorough review of major email protocols and the security they provide.
Managing IMAP by Dianna Mullet and Kevin Mullet (O’Reilly & Associates) — Details the steps required to configure an IMAP server.