INFN Sec. Group


Secure IMAP (and POP3)

v 2.6
26 November 2001

Roberto Cecchini

Versione in italiano


Contents

Introduction
OpenSSL Installation
Certificate Request and Installation
stunnel Installation
stunnel on the Server
E-mail Clients (Unix) Configuration
E-mail Clients (Windows) Configuration
 

Introduction

Netscape (IMAP) and Outlook (IMAP and POP3) allow encrypted connection (SSL) to a mail server. If the IMAP server doesn't support this kind of connection a partial solution is the use of an SSL wrapper. Among the many existing, I have been using stunnel.

OpenSSL Installation

The first thing to do is to install OpenSSL.
  1. expand the tar file in /usr/local

  2. follow the simple instructions: basically configure, make platform, make test and make install.
    Beware: according to my personal experience, it is much better to use the gnu compiler.

Certificate Request and Installation

N.B.: these instructions are for .infn.it nodes only
  1. copy the configuration file srv.cnf in /usr/local/ssl/lib/ (if you chose the standard installation).

  2. generate the certificate request:
    > cd /usr/local/ssl/certs
    > /usr/local/ssl/bin/openssl req -new -nodes -out req.pem \
     -keyout key.pem -config /usr/local/ssl/lib/srv.cnf
    
    Using configuration from /usr/local/ssl/lib/srv.cnf
    Generating a 1024 bit RSA private key
    .......................+++++
    .........................+++++
    writing new private key to 'key.pem'
    -----
    You are about to be asked to enter information that will be 
    incorporated into your certificate request.
    What you are about to enter is what is called 
    a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [IT]:
    INFN (accettare il default!) [INFN]:
    Locality Name (p.e. Firenze) []:Firenze
    Organization Name (p.e. Sezione di Firenze) []:Sezione di Firenze
    Server type [Server IMAP]:
    Server name (p.e. postino.fi.infn.it) []:postino.fi.infn.it
    Email Address []:cecchini@fi.infn.it
    
    > chmod 600 key.pem
    
    key.pem contains the server private key in plain text!

  3. send req.pem to the CA, which will send you back the certificate.

  4. create the file (using an editor) /usr/local/ssl/certs/stunnel.pem, which contains key.pem and the server ceriticate. Insert a blank line between the two parts and another one at the bottom.

  5. delete req.pem and key.pem and protect (chmod 600) stunnel.pem, which now contains the server private key in plain text.

stunnel Installation

Follow the simple instructions.

stunnel on the Server

It is recommended that you use stunnel as a daemon. You should run it during boot using the commands (the second only if you need pop3 connections, too):
   stunnel -d 993 -p /usr/local/ssl/certs/stunnel.pem -r localhost:imap
   stunnel -d 995 -p /usr/local/ssl/certs/stunnel.pem -r localhost:pop

E-mail Clients (Unix) Configuration

For the clients which support SSL (e.g. Netscape Messenger, Outlook and pine) the only thing to do is to change their configurations, so that they use secure connections.

It isn't necessary that the browsers contain the certificate of the CA which signed the server certificate. Of course it is better if they do.

For the e-mail clients which don't support SSL:

  1. install stunnel on the client machine;

  2. if you want to check the server certificate (optional, but recommended), copy the server CA certificate in /usr/local/ssl/certs/CAcert.pem and:
       > cd /usr/local/ssl/certs/
       > ln -s CAcert.pem `/usr/local/ssl/bin/openssl x509 \
             -noout -hash < CAcert.pem`.0
    

  3. run stunnel using the command (tipically during the startup):
       > stunnel -c -v 2 -d 143 -r imap_server:993
       > stunnel -c -v 2 -d 110 -r pop3_server:995
    
    where the option -v 2 has to be specified only if you executed the previous point.

  4. Configure the e-mail client so that it accesses the imap (or pop3) port of localhost.

E-mail clients (Windows) Configuration.

For the clients which support SSL (e.g. Netscape Messenger, Outlook and pine) the only thing to do is to change their configurations, so that they use secure connections.

It isn't necessary that the browsers contain the certificate of the CA which signed the server certificate. Of course it is better if they do.

For the e-mail clients which don't support SSL:

  1. install stunnel on the client machine;

    1. download winstun.zip
    2. extract ssleay32.dll, libeay32.dll and stunnel.exe in the same directory (if you prefer, the dlls can be moved in \windows\system).

  2. run stunnel using the command:
       stunnel -c -d 143 -r imap_server:993
       stunnel -c -d 110 -r pop3_server:995
    
  3. Configure the e-mail client so that it accesses the imap (or pop3) port of localhost.
 

Roberto Cecchini

URL: http://security.fi.infn.it/tools/stunnel/index-en.html