Recipe 8.11 Securing POPIMAP with SSL and Pine

Previous page
Table of content
Next page

Recipe 8.11 Securing POP/IMAP with SSL and Pine

8.11.1 Problem

You want to secure your POP or IMAP email session. Your mail client is pine, and your mail server supports SSL.

8.11.2 Solution

Test whether you can use STARTTLS, as explained in SSL for Securing Mail:

$ pine -inbox-path='{mail.server.net/user=fred/protocol}'

replacing protocol with either pop or imap as desired. One of three outcomes will occur:

  1. You get no connection. In this case, you cannot use STARTTLS; move on and try SSL-port, below.

  2. You get a connection, but the login prompt includes the word INSECURE:

    HOST: mail.server.net (INSECURE)  ENTER LOGIN NAME [fred] :

    In this case, you again cannot use STARTTLS; move on and try SSL-port, below.

  3. You get a connection and the login prompt does not say INSECURE. In this case, congratulations, you have a secure mail connection. You are done.

If you could not use STARTTLS as shown, try the SSL-port method:

$ pine -inbox-path='{mail.server.net/user=fred/protocol/ssl}'

again replacing protocol with either pop or imap as appropriate.

To ensure you have a secure connection (i.e., to forbid pine to engage in weak authentication, unless it's over a secure connection), add /secure to your inbox-path. For example:

$ pine -inbox-path='{mail.server.net/user=fred/imap/secure}'

If none of this works, your ISP does not appear to support IMAP over SSL in any form; try SSH instead. [Recipe 8.16]

8.11.3 Discussion

You might be able to simplify the mailbox specifications; for instance:

{mail.server.net/user=fred/imap}

could be simply {mail} instead: IMAP is the default, the usernames on both sides are assumed to be the same if unspecified, and your DNS search path may allow using the short hostname.

8.11.4 See Also

pine(1).

SSL Connection Problems: Server-Side Debugging

If you have access to the system logs on the mail server, you can examine them to debug SSL connection problems, or just to verify what's happening. In /var/log/maillog, successful SSL-port-style connections look like this:

Mar  7 16:26:13 mail imapd[20091]: imaps SSL service init from 209.225.172.154 Mar  7 16:24:17 mail ipop3d[20079]: pop3s SSL service init from 209.225.172.154

as opposed to these, indicating no initial use of SSL:

Mar  7 16:26:44 mail imapd[20099]: imap service init from 209.225.172.154 Mar  7 16:15:47 mail ipop3d[20018]: pop3 service init from 209.225.172.154

Note, however, that you cannot distinguish the success of STARTTLS-style security this way.

Another way of verifying the secure operation is to watch the mail protocol traffic directly using tcpdump [Recipe 9.16] or Ethereal [Recipe 9.17]. Ethereal is especially good, as it understands all the protocols involved here and will show exactly what's happening in a reasonably obvious fashion.

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Strategies for Information Technology Governance
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
An Introduction to Design Patterns in C++ with Qt 4
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
File System Forensic Analysis
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy