Hi All,
First I would like to thank all who gave me pointers on where to look
for the applications. There are also some of you who wanted me to
post my findings. Hence I have decided to post a mini how-to.
I actually ran a sniffer on it, and all messages are encrypted. :)
If there's any prob, just drop me a line.
Rgrds,
Wong.
begin 666 How-To Ssecure pop or imap.txt
[mod: Grrr... I now converted it manually for you, & wrapped the lines
-- REW]
--------------------------------------------------------------------------
DOCUMENTATION: HOW-TO SSLWRAP, SSLEAY OR OPENSSL
INTRODUCTION
SSLeay and OpenSSL is used to generate the required
certificates. SSLwrap (run out of inetd) is used to encrypt pop3, imap
or smtp services. Both SSLeay and OpenSSL would be discussed on how to
generate a self-sign certificate.
SSLeay (vers. SSLeay-0.9.0b-4.i386.rpm)
Primary purpose here is to generate a cert. {note: the following
directories/files locations are created from RPM packages on RH6.0. On
tar compressed files the certs, req and x.509 might be in different
locations.}
Before running the below commands, please take note the
following. After generating the cert, you would be required to fill in
some fields such as name, country and e-mail etc. Take extra caution
when filling in the "Common Name (eg, Your name)[]" field. Here, enter
the host name of the mail server (assuming it's for pop/imap). The
hostname here must match the hostname of the mail server filled at the
e-mail client (i.e the POP field where the mail server name is
recorded). If the name do not match, a warning dialog box would pop
up. The link is still encrypted but it would be a nuisance to the
users who have to endure the persistent warning dialog box.
Command:
cd /var/ssl/certs/
/usr/bin/req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
ln -s server.pem '/usr/bin/x509 -noout -hash < server.pem'.0
A file (server.pem) would be generated from the command in line 2
above. Chmod the server.pem file (600) in order to restrict
access. Note also that the server cert would only be effective the
next day. As a test, forward your PC date by one day and test it.
OpenSSL (vers. openssl-0.9.3a.tar.gz)
**vers. Openssl-0.9.4 is out. But of current writing, SSLwrap only supports
0.9.3a)**
The steps are (and *warnings too*:)) are the same as before. The
commands are slightly changed however.
Use tar to decompress the file to /usr/local/src/ {preference is yours
in here} A directory called openssl-0.9.3a would be created. Inside
here do a :
./config
make
make test
make install
(all the above are documented in the INSTALL file).
To generate a cert, do the following: {note the directories are
changed compared to SSLeay }.
Command:
cd /usr/local/ssl/certs/
/usr/local/ssl/bin/openssl req -new -x509 -nodes -out server.pem -keyout
server.pem -days 365
ln -s server.pem '/usr/local/ssl/bin/openssl x509 -noout -hash <
server.pem'.0
Again, a server cert (server.pem) would be generated. Chmod the file
(600) to restrict access to it.
SSLwrap (vers. SSLwrap-2.02-2.i386.rpm)
Requirement: SSLeay (or OpenSSL 0.93a), ld-linux.so.2, libc.so.6,
libcrypto.so.0, libssl.so.0
** The latest SSLwrap version is 2.1.0 {tar format}; recommended to be used**
Read the docs.html first (/usr/doc/). Again note that the file
structure/location specified here (in accordance with RPM) might
differ from the tar file and also in the doc.html.
SSLwrap runs out of Inetd. It can be run as a daemon but not advised
(see docs.html for more info). Two files needs to be configured here,
the inetd.conf (at /etc) and services (at /etc).
Add the following at services:
pop3s 995/tcp
Or if you're using imap;
imaps 993/tcp
Add the following at inetd.conf
{pop3s stream tcp nowait sslwrap /usr/sbin/tcpd /usr/sbin/sslwrap
-cert /var/ssl/certs/server.pem -port 110}
Take careful note on the above paths. Also note pop3s. It should be in
accordance with what you specified at the /etc/services file. If RPM
SSLwrap is used, all the above would be written in. However, RPM
SSLwrap is using pop3s, whereas the default /etc/services already has
spop3. The services file would not be re-written. In this case SSLwrap
would not worked. Hence, changed the spop3 in the /etc/services file
to pop3s or change the inetd.conf file.
Also note the owner sslwrap. From the docs.html, it is advised to
create a user called sslwrap with access rights like nobody for
security reasons.
Please e-mail me if I made any mistake. Thx.
E-mail: wongcm@vone.com.my
