Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
19.5. Mail User Agents
Red Hat Enterprise Linux offers a variety of email programs, both, graphical email client programs, such as Evolution, and text-based email programs such as
The remainder of this section focuses on securing communication between a client and a server.
19.5.1. Securing Communication
Popular MUAs included with Red Hat Enterprise Linux, such as Evolution and Mutt offer SSL-encrypted email sessions.
Like any other service that flows over a network unencrypted, important email information, such as user names, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard
IMAPprotocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting user names and passwords as they are passed over the network.
22.214.171.124. Secure Email Clients
Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and the server.
SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration window or via an option in the MUA's configuration file. Secure
POPhave known port numbers (
995, respectively) that the MUA uses to authenticate and download messages.
126.96.36.199. Securing Email Client Communications
Offering SSL encryption to
POPusers on the email server is a simple matter.
First, create an SSL certificate. This can be done in two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.
Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate granted by a CA.
To create a self-signed SSL certificate for
POP, change to the
/etc/pki/dovecot/directory, edit the certificate parameters in the
/etc/pki/dovecot/dovecot-openssl.cnfconfiguration file as you prefer, and type the following commands, as
rm -f certs/dovecot.pem private/dovecot.pemdovecot]#
Once finished, make sure you have the following configurations in your
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
service dovecot restartcommand to restart the
stunnelcommand can be used as an encryption wrapper around the standard, non-secure connections to
stunnelutility uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and to protect the network connections. It is recommended to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
See Using stunnel in the Red Hat Enterprise Linux 6 Security Guide for instructions on how to install
stunneland create its basic configuration. To configure
stunnelas a wrapper for
POP3S, add the following lines to the
[pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143
The Security Guide also explains how to start and stop
stunnel. Once you start it, it is possible to use an
POPemail client and connect to the email server using SSL encryption.