What's the best way to secure email access? I'm setting up qmail right now, but would like to be able to access it in a way similar to how SFTP keeps passwords & usernames from being sent in clear text.
I found some info searching on google about using port forwarding over ssh in order to do this. Is this the best way to secure email access?
Thanks,
John
Full Version: secure email access
Hi John,
I was near to setting up qmail with both SMTP AUTH and TLS/SSL support for a customer using qmail .. before the servers' RAID controller died ;/ ... there are qmail distros/patches that will enabled the send process (can't remember the name of it now) to support TLS, which is a newer interface to SSL. Unfortunately, as far as I have seen, only Netscape email clients and I think Eudora support TLS ... that is a nice way to do things though because the MTA does the encryption.
You can also tunnel over SSL, do a search on "+qmail +SSL +tunnel" in Google and you should get a good list of places that will show you how to do that ...
It seems like more people do that ... and Outlook Express/Outlook support SSL encryption (as opposed to TLS) ...
The strange thing about doing it that way is that running SMTP over SSL (which would be on port 465) is NOW DEPRECATED. SHeesh! So you can use the newer way (TLS) and have unsupported clients or tunnel over SSL (deprecated) and support everyone. Bizarre.
Maybe I had misread things when I was figuring out how to set things up, but that is what I saw.
I was setting up SMTP AUTH over SSL .. I was doing things from source and it quickly became a pain ... patches conflicting with each other .. blah.
If I were to set that up again, I would use someone elses' pre-made RPM distro of qmail ... on the main qmail.org site you will see links to peoples' homebrewed distros .. patching the source was a pain and took a lot of time. I thought it would be fun to do it that way as it gave me opportunities to check out the source but ... it wasn't
.
I welcome any corrections to what I have said if anyone reading this sees that I have said something that is incorrect .. that install was my first experience with qmail.
I was near to setting up qmail with both SMTP AUTH and TLS/SSL support for a customer using qmail .. before the servers' RAID controller died ;/ ... there are qmail distros/patches that will enabled the send process (can't remember the name of it now) to support TLS, which is a newer interface to SSL. Unfortunately, as far as I have seen, only Netscape email clients and I think Eudora support TLS ... that is a nice way to do things though because the MTA does the encryption.
You can also tunnel over SSL, do a search on "+qmail +SSL +tunnel" in Google and you should get a good list of places that will show you how to do that ...
It seems like more people do that ... and Outlook Express/Outlook support SSL encryption (as opposed to TLS) ...
The strange thing about doing it that way is that running SMTP over SSL (which would be on port 465) is NOW DEPRECATED. SHeesh! So you can use the newer way (TLS) and have unsupported clients or tunnel over SSL (deprecated) and support everyone. Bizarre.
Maybe I had misread things when I was figuring out how to set things up, but that is what I saw.
I was setting up SMTP AUTH over SSL .. I was doing things from source and it quickly became a pain ... patches conflicting with each other .. blah.
If I were to set that up again, I would use someone elses' pre-made RPM distro of qmail ... on the main qmail.org site you will see links to peoples' homebrewed distros .. patching the source was a pain and took a lot of time. I thought it would be fun to do it that way as it gave me opportunities to check out the source but ... it wasn't
.
I welcome any corrections to what I have said if anyone reading this sees that I have said something that is incorrect .. that install was my first experience with qmail.
Thanks for all of the info, I appreciate it.
I'm mainly concerned with securing pop3. When logging in to download my email I want my password/username to be encrypted. I figured out how to do this with port forwarding over SSH, but that's kind of a pain since I first need to login with my SSH client then login again with the email client. I'd rather just be able to login with the email client and the encryption side of things be done automatically.
I use Netscape's email client and see SSL & TLS listed as available options for outgoing email but these options aren't available for incoming email.
I'm mainly concerned with securing pop3. When logging in to download my email I want my password/username to be encrypted. I figured out how to do this with port forwarding over SSH, but that's kind of a pain since I first need to login with my SSH client then login again with the email client. I'd rather just be able to login with the email client and the encryption side of things be done automatically.
I use Netscape's email client and see SSL & TLS listed as available options for outgoing email but these options aren't available for incoming email.
John,
Securing POP3 is much easier
... if you are using the Redhat imapd package
imap-2001a-1.72.0
you just need an /etc/xinetd.d/pop3s entry that looks something like this:
That is, if you are doing qmail in sendmail compatibility mode, where each users ~/Mail file is linked to /var/spool/mail/username
Remember to restart xinetd after adding/changing your pop3s entry. If you are installing pop3s for the first time you also have to do the server SSL certificate generation .. you can find that info in /usr/share/ssl/certs ... check out the Makefile in that directory.
If you are using the maildir format, then I would check http://www.qmail.org for pop3 packages that work with qmail .. there are lots of them listed.
I was using the compatibility mode so that I didn't have to do custom versions of everything.
Securing POP3 is much easier
... if you are using the Redhat imapd package
imap-2001a-1.72.0
you just need an /etc/xinetd.d/pop3s entry that looks something like this:
CODE
# default: off
# description: The POP3S service allows remote users to access their mail
# using an POP3 client with SSL support such as fetchmail.
service pop3s
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += HOST DURATION
log_on_failure += HOST
disable = no
}
# description: The POP3S service allows remote users to access their mail
# using an POP3 client with SSL support such as fetchmail.
service pop3s
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += HOST DURATION
log_on_failure += HOST
disable = no
}
That is, if you are doing qmail in sendmail compatibility mode, where each users ~/Mail file is linked to /var/spool/mail/username
Remember to restart xinetd after adding/changing your pop3s entry. If you are installing pop3s for the first time you also have to do the server SSL certificate generation .. you can find that info in /usr/share/ssl/certs ... check out the Makefile in that directory.
If you are using the maildir format, then I would check http://www.qmail.org for pop3 packages that work with qmail .. there are lots of them listed
.
I was using the compatibility mode so that I didn't have to do custom versions of everything.
I'm using the maildir format with qmail. Qmail-smptd , qmail-pop3d & vpopmail for managing the accounts.
I'm using an older version of the Netscape email client, but just downloaded the new version which does allow pop3 over SSL.
Now I'm looking into the stunnel program http://www.stunnel.org to possibly wrap the qmail-pop3d with SSL.
I'm using an older version of the Netscape email client, but just downloaded the new version which does allow pop3 over SSL.
Now I'm looking into the stunnel program http://www.stunnel.org to possibly wrap the qmail-pop3d with SSL.
Cool deal. If you work things out, please post them in this thread so that others who do the same can find it .. or do a HOW TO!
I got it working. Secure pop3 email via SSL. This is how I did it:
1. First create an SSL certificate for stunnel to use.
cd /usr/share/ssl/certs
make stunnel.pem
2. Then to start the stunnel/pop3s/SSL connection on port 995 (default port for pop3s):
/usr/sbin/stunnel -d 995 -p /usr/share/ssl/certs/stunnel.pem -r localhost:pop3
3. Using KISS my Firewall, locked down pop3 port 110 (but still open to localhost for the stunnel)
4. Added the code in step 2 to rc.local in /etc/rc.d/rc.local so that the stunnel is automatically started when the box is rebooted
Then, just need to use an email client that can use pop3 via SSL. I used Netscape 7.0 email client for this.
1. First create an SSL certificate for stunnel to use.
cd /usr/share/ssl/certs
make stunnel.pem
2. Then to start the stunnel/pop3s/SSL connection on port 995 (default port for pop3s):
/usr/sbin/stunnel -d 995 -p /usr/share/ssl/certs/stunnel.pem -r localhost:pop3
3. Using KISS my Firewall, locked down pop3 port 110 (but still open to localhost for the stunnel)
4. Added the code in step 2 to rc.local in /etc/rc.d/rc.local so that the stunnel is automatically started when the box is rebooted
Then, just need to use an email client that can use pop3 via SSL. I used Netscape 7.0 email client for this.
Hmm. Followed your instructions John2k and I am still getting an error when checking mail with outlook using secure auth.
Stunnel will work well. Also there is a qmail patch for incorporating SSL. I will try to dig it up. I have applied it to PSA qmail versions before.
QUOTE
Originally posted by mol
Hmm. Followed your instructions John2k and I am still getting an error when checking mail with outlook using secure auth.
Hmm. Followed your instructions John2k and I am still getting an error when checking mail with outlook using secure auth.
Got it working. I didnt change the port settings in outlook and I also had "Log on using Secure Password Auth" instead of "This server requires a secure connection. SSL."
Now everything is working peachy.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.