How to set up and use encrypted connections with DBmail
You can use STunnel to provide an SSL encrypted connection to the DBmail POP3 and IMAP servers. This will not ensure that the email is encrypted, as it only encrypts the connection between the server and mail client, but it will keep your passwords secure.
Note: This breaks pop-before-smtp functionality. All SSL connections will show up as 127.0.0.1 in your dbmail_pbsp table. DBMail does not yet support STARTTLS. If you need to relay for your imap/pop users you will have to look into SMTP/AUTH.
Note: Stunnel can be a pain to compile from source. It has a wierd psudo sandbox that could confuse beginners quite easily. If at all possible use the package provided by your specific distro.
Setting up the certificate
Before you setup stunnel, you will first need a certificate. One way to generate a self-signed certificate is as follows:
#!/bin/sh cd /etc/ssl/certs PEMFILE="servername.foobar.com.pem" openssl req -new -x509 -nodes -days 365 -out $PEMFILE -keyout $PEMFILE chmod 600 $PEMFILE [ -e temp_file ] && rm -f temp_file dd if=/dev/urandom of=temp_file count=2 openssl dhparam -rand temp_file 512 >> $PEMFILE ln -sf $PEMFILE `openssl x509 -noout -hash < $PEMFILE`.0
This assumes your certificate will live in /etc/ssl/certs (the debian way), and that your users will connect to servername.foobar.com for either imaps or pop3s.
Secure POP3
For the POP3 Server, we want to take all connections to the POP3S port, decrypt them and send them to the POP3 port on localhost.
for stunnel-3 you will have to run a daemon:
stunnel -a /etc/ssl/certs -p servername.foobar.com.pem -t 300 -d pop3s -r localhost:pop3
Stunnel 4.00 and onward use a config file instead of command line arguments.
in /etc/stunnel/pop3s.conf
accept = 995 connect = 110 cert = /etc/ssl/certs/servername.foobar.com.pem session = 14400 TIMEOUTidle = 14400
in /etc/inetd.conf:
pop3s stream tcp nowait root /usr/sbin/stunnel4 stunnel4 /etc/stunnel/pop3s.conf
Secure IMAP
Same deal for the IMAP server, but change the ports:
stunnel -a /etc/ssl/certs -p servername.foobar.com.pem -t 300 -d imaps -r localhost:imap
in /etc/stunnel/imaps.conf:
accept = 993 connect = 143 cert = /etc/ssl/certs/servername.foobar.com.pem session = 14400 TIMEOUTidle = 14400
in /etc/inetd.conf:
imaps stream tcp nowait root /usr/sbin/stunnel4 stunnel4 /etc/stunnel/imaps.conf
Secure LDAP
It turns out that if you are running a version of LDAP that has ldap_initialize(), (Which OpenLDAP >= 2.3 does. I'm not certain about 2.2 though.) then you get LDAP over TLS support for free. One can simply leave the HOSTNAME and URI parameters of the dbmail.conf file blank, and then OpenLDAP will use the contents of /etc/openldap/ldap.conf. If one puts the following in that file:
URI ldaps://ldap_host1 ldaps://ldap_host2
then DBMail will try to connect to the LDAP over SSL ports (port 636) on ldap_host1 and ldap_host2, in that order. And this is all courtesy of the OpenLDAP library.
Now one could put the following into the LDAP section of the dbmail.conf file:
URI = ldaps://ldap_host3 ldaps://ldap_host4
if you wanted DBMail to use different LDAP servers from the system default ones.
If you're version of OpenLDAP does not have the ldap_initialize() function and only has the ldap_init() function, you can also use stunnel to establish secure connections to your LDAP server as a client. Assuming that you have a LDAP server running over TLS on port 636 on a machine named ldap_host, then you would put the following in /etc/stunnel/ldap.conf:
CAfile = /path/to/file/cacert/list client = yes accept = 389 connect = ldap_host:636
You would then tell DBMail to connect to localhost on port 389 for LDAP. Note that since we are running as a client, we do not need a certificate. Rather, we a list of CAs for LDAP server verification. For stunnel 3.x and earlier, you would use:
stunnel -c -d 389 -r ldap_host:636
Note that this stunnel method will work even if you have a more recent version of OpenLDAP as well.
CentOS 4.2
xinetd and stunnel configuration is slightly differs.
Secure IMAP
in /etc/xinetd.d/imaps
# default: off
# description: The IMAPS redirector allows client software which does not have \
# native support for SSL to connect to the local machine's IMAP \
# port and have the connection forwarded over the network using \
# SSL. You will need to modify stunnel-imaps-client.conf to \
# specify the server to connect to in order for this to be useful.
service imaps
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/imaps.conf
}
in /etc/stunnel/imaps.conf
verify = 1 cert = /etc/ssl/certs/domain.cert.pem connect = 143
Secure POP3
in /etc/xinetd.d/pop3s
service pop3s
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/pop3s.conf
}
in /etc/stunnel/pop3s.conf
verify = 1 cert = /etc/ssl/certs/domain.cert.pem connect = 110
Secure SMTP
in /etc/xinetd.d/ssmtp
# default: off
# description: The SMTPS redirector allows client software which does not have \
# native support for SSL to connect to the local machine's SMTPS \
# port and have the connection forwarded over the network using \
# SSL. You will need to modify stunnel-ssmtp-client.conf to \
# specify the server to connect to in order for this to be useful.
service smtps
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = /etc/stunnel/stunnel-ssmtp-client.conf
# log_on_success += USERID
# log_on_failure += USERID
}
in /etc/stunnel/stunnel-ssmtp-client.conf
CAfile = /etc/stunnel/example.com connect = 25