DISCLAIMER: USE AT YOUR OWN RISK. EVERY COMPUTER SYSTEM IS DIFFERENT, AND WHAT WORKED FOR ME MAY NOT WORK FOR YOU. RELEVANT PREREQUISITE KNOWLEDGE IS ASSUMED (BASIC UNIX SKILLS). SOFTWARE CAN CHANGE SIGNIFICANTLY BETWEEN VERSIONS. ALWAYS PROCEED WITH CAUTION, AND READ ALL AVAILABLE DOCUMENTATION.

Back to all guides

Jem's Guide: How to set up a secure POP3 (pop3s) server, using stunnel

(Same process applies to other servers, like IMAP. Just change the port numbers)


When I say "secure POP3", I am referring to a POP3 server that communicates with a client using SSL (Secure Socket Layer). Many mail clients now support this as an extension to standard POP3 support, since the SSL encrypts everything and prevents eavesdropping of the connection (but not man-in-the-middle attacks). Secure POP3, or pop3s runs on port 995 of the server instead of the plaintext port 110 and demands an SSL-capable client on the other end.

Although it sounds like it should be difficult to set up a secure POP3 server, the process is very easy and is also extensible to other simple plaintext protocol servers which you already have. Of course, for your server to be secure the actual server software which you're running must be up to date and free of bugs that allow clients to exploit the server. This is a separate issue, since no amount of encryption is going to protect a server that is running vulnerable software.

You're also not secure unless the component that provides the encryption (OpenSSL) is free of exploitable bugs. Unfortunately, there have been several such bugs recently so before you proceed please make sure you have installed the latest version of OpenSSL.

A secure POP3 server requires these components. Each component must be bug-free and non-exploitable:

For the rest of this document, I'll assume that you have already installed OpenSSL and a POP3 server (plaintext), since both are standard in UNIX, Linux and BSD distributions. I use gnu-pop3d for my POP3 server since it's small, efficient, and secure (as far as I know).

How to provide an SSL version of your existing POP3 server for port 995 (pop3s)

You already have a POP3 server running on port 110, and you want to provide a secure version which SSL-capable clients can access on port 995. The nifty piece of software which makes this possible is Stunnel, the "Universal SSL Wrapper".

First, download and install the latest version, whatever that may be:

wget http://www.stunnel.org/download/stunnel/src/stunnel-4.03.tar.gz
tar zxvf stunnel-4.03.tar.gz
cd stunnel-4.03
./configure
make
make install

The make script will take you through the process of generating a certificate. Enter any data here for now. 'make install' will install all the stunnel files in their default places, but you can use ./configure script options to change these paths.

Anyway, you have now installed everything you need. You must now configure stunnel by modifying stunnel.conf, which is by default /usr/local/etc/stunnel/stunnel.conf

chroot = /var/jails/stunnel
setuid = nobody
setgid = nogroup
pid = /stunnel.pid
debug = mail.notice
client = no

[gnu-pop3d]
accept  = 995
connect = localhost:pop3

You will have to adjust these settings for your system. The chroot line tells stunnel that it should run in the specified chroot jail. This limits the extent of the damage that can be caused to the greater filesystem if stunnel is compromised. For stunnel to work, the directory specified in chroot must exist!

setuid and setgid define the privileges under which stunnel should operate. Give it the lowest privileges possible to limit the extent of possible damage (in case of intrusion).

pid defines the file where the pid should be stored. Note that this path is relative to the chroot directory. The debug option tells stunnel where to send log messages. "mail.notice" defines the mail facility, level notice and will make stunnel log its messages to your regular mail server logs. Be sure to check these logs if stunnel doesn't work as intended! Finally, client=no tells stunnel to run as a daemon.

The rest of the conf file can consist of multiple [Sections], where a name like "gnu-pop3d" is just a description for your convenience -- it appears in the logs. accept tells stunnel to listen on port 995 (the pop3s port) for the SSL side, and connect tells stunnel to open a connection to localhost:pop3 for the plaintext side.

You can now see why we can run stunnel chroot'ed and at the lowest privileges, since all it has to do is open a TCP/IP connection to your real POP3 server. Beautiful, isn't it?

Everything should be ready to go now. Just run "stunnel" and it will run as a daemon in the background, accepting SSL connections on port 995 and passing them through to your pop3 server on port 110. If everything works as expected, modify your system initialization scripts to run stunnel on startup.

For extra security, you can firewall your system so that clients outside your network can only access the secure server on port 995 and not the plaintext version on port 110.

Copyright (C) 2003-2005 SysDesign