Red Hat LINUX 7.2 Reference Manual page 281

Section 16.6:Security 281
16.6.1 Secure Email Clients
Thankfully, most Linux MUAs designed to check email on remote servers support SSL to encrypt
messages as they are sent back and forth over the network. In order to use SSL when retrieving email,
it must be enabled on the email client and server.
SSL is usually very easy to enable on the client-side, often done with the click of a button in the MUA's
configuration area. Secure IMAP and POP have known port numbers (993 and 995, respectively) that
the MUA will use to authenticate and download messages.
Popular MUAs included with Red Hat Linux, such as Mozilla Mail, Mutt, and Pine, offer SSL-en-
crypted email sessions.
16.6.2 Secure Email Servers
Offering SSL encryption to IMAP and POP users on the email server is almost as easy. Red Hat Linux
also includes the stunnel package, which is an SSL encryption wrapper that wraps around standard,
non-secure network traffic for certain services and prevents interceptors from being able to "sniff"
the communication between client and server. While stunnel can be used with more than email
communication, it really shines when providing protection for normally insecure email protocols.
The stunnel program uses external SSL libraries, such as the OpenSSL libraries included with
Red Hat Linux, to provide strong cryptography and protect your connections. You can apply to a
Certificate Authority (CA) for an SSL certificate, or you can create a self-signed certificate to simply
provide the benefit of the SSL encrypted communication.
To create a self-signed SSL certificate, change to the /usr/share/ssl/certs directory, type the
make stunnel.pem command, and answer the questions. Then, use stunnel to start the mail
daemon that you wish to use.
For example, the following command could be used to start the IMAP server included with Red Hat
Linux:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd
You should now be able to open an IMAP email client and connect to your email server using SSL
encryption. Of course, you will probably want to go a step further and configure your stunnel-
wrapped IMAP server to automatically start up at the correct runlevels.
For more information about how to use stunnel, read the stunnel man page or refer to the doc-
uments in the /usr/share/doc/stunnel- <version-number> directory.
Alternatively, the imap package bundled with Red Hat Linux contains the ability to provide SSL en-
cryption on its own without stunnel. For secure IMAP connections, create the SSL certificate by