SSL-protected POP3 service for Debian Linux (Woody)
Like most security conscious people, I have an uneasy feeling with the Post Office Protocol version 3 (POP3) since it allows the cleartext transmission not only of your emails but also of the username and password of your email accounts. APOP is a bit better since it doesn't send your password in the clear, but it still does so with the contents of your emails. So, when required to install a new Linux server running Debian (Woody) I looked around for a way to securely wrap POP3 sessions with SSL/TLS. The goal was to encrypt all traffic between the server and the client, including the username/password authentication and the bulk email data transfers.
This time, I decided to solve the problem using qpopper. It compiles and runs without any problems. Before getting into the details of the configuration let me say that this guide can also be used for setting up an SSL-protected POP3 server on any Unix-like system. However, the specific details I will provide address my specific configuration.
The first step is to compile and install qpopper on the Linux system. At the time of this writing the latest version of qpopper is 4.0.5. Be sure to check if there is a newer version available before running the following commands:
# mkdir -p /usr/local/src ; cd /usr/local/src # wget ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper4.0.5.tar.gz # tar zxvf qpopper4.0.5.tar.gz ; cd qpopper4.0.5 # ./configure --with-openssl=/usr/local/ssl # make ; make install
Like many mail related services I run, I want go for the latest release and find myself compiling that on the server. You could use apt-get (or dselect) for Debian, but that gives you rather old versions of software. Not that these aren't secure, it's just my feeling that these critical services need to be running with the most recent versions available.
Note: After writing this document, I've found an excellent resource for Debian with recent versions of software for the Debian Woody (stable) release: backports.org. This made my (compile) life a lot easier, though I've wrestled with a glitch or two, like assuming Postfix 2.x from backports.org uses SASL 2; it doesn't, it's compiled with SASL 1, which has no direct interface to MySQL opposed to version 2 which has such an interface.
The 'configure' command just has one parameter, to enable SSL/TLS support by using OpenSSL which can be found at /usr/local/ssl (the default install directory). Change this path if you have installed OpenSSL on another location.
All other configuration options will be set through the qpopper.conf file. If you want/need to do some debugging, add the '--enable-debugging' switch to the ./configure command.
The configure script takes many more parameters that modify the default behavior of qpopper. If you are interested in more aggressive logging or other interesting possibilities read the output of the ./configure --help command.
The next step is to create a directory in which we will store the configuration files and the certificates related to our secure POP3 server. The qpopper.conf file will be installed in /etc by default and I've chosen to combine the certs with my Postfix installation in /etc/mail/certs
We will now generate the asymmetric key pair and the corresponding self-signed X.509 certificate for our POP3 server using the command line interface of OpenSSL. You can use a key pair and a certificate you are already using for other purposes, but I assume this has not been done yet. The certificate we will generate is going to be valid for one year (365 days). This means that every year you have to generate a new one and distribute it again to your POP3 clients. OpenSSL is going to ask you a few
questions during the generation process. The one that matters is the one that queries the name that is going to be associated with the public key (Common Name (eg, YOUR name) []: is what OpenSSL asks you). What you need to enter is the FQDN of your server, the one that your POP3 clients are going to use to connect to it (e.g.: something like mail.acme.tld). So, here are the commands you have to run (we also change the file permissions of the private key, and create a version of the PEM-encoded certificate ready to be used on Windows-based client systems (DER-encoded)):
You now have three new files, yourhostname.rsa is the private key, yourhostname.pem is the PEM-encoded certificate and yourhostname.der is the DER-encoded certificate. Of course the string yourhostname represents the contents of your /etc/hostname file. The next step is to edit the sample configuration file of qpopper that has been copied to /etc/qpopper.conf in order to make necessary changes. So, open it with your favorite text editor (e.g.: # vim /etc /qpopper.conf) and make the following changes:
Change # set clear-text-password = default to set clear-text-password = tls.
Change # set config-file = /etc/mail/pop/qpopper.config to set config-file = /etc/qpopper.conf, although this is not required as we specify the config file as a commandline argument.
Change # set tls-support = default to set tls-support = alternate-port.
Change # set tls-version = default to set tls-version = default.
Change # set tls-private-key-file = to set tls-private-key-file = /etc/mail/certs/yourhostname.rsa.
Change # set tls-server-cert-file = /etc/mail/certs/hostname.cert to set tls-server-cert-file = /etc/mail/certs/yourhostname.pem.
Next, you have to change your /etc/inetd.conf file in order to start qpopper each time someone tries to download POP3 emails. To accomplish this open /etc/inetd.conf with your favorite text editor and add the following lines:
The -f option specifies the location of the configuration file. Make sure you have the pop3 and pop3 services defined in your /etc/services file. pop3 is port 110 and pop3s is used as an alternate address and is required by a lot of Windows clients. Finally, you have to signal 'inetd' to notify a configuration change. You can do so by sending it an HUP signal:
# ps -ef | grep inetd # kill -HUP <pid of inetd, see output command above>
At this point we have a fully functional SSL-protected POP3 server, which listens on TCP ports 110 and 995. However, it is of little value if clients cannot connect to it and get their emails.
The main reason I initially decided to configure an SSL-protected POP3 server was to enable Windows users to easily access their email accounts. I will quickly give you the details of configuring MS Outlook Express to access accounts on our POP3 server. First of all, transfer the DER-encoded certificate we created earlier to your Windows client machine. Double-click it and when the certificate manager comes up install it in the root certificate store and not in the default store you are suggested to. Then start Outlook Express and specify in the account manager the details of your email account (username/password, etc.). As a POP3 server enter the FQDN of the server we have just configured (remember that this has to be the same as the common name you entered during the certificate generation process) and as a port number 110. Also specify that you want to use SSL. You are now ready to initiate an SSL-protected POP3 session and retrieve your emails.
I don't believe that I have forgotten any details, however if you notice any omissions let me know and I will update this.
