# -+- number -+- category -+- title -+- email -+- name -+- homepage -+- clickOnName -+- language -+- image -+- browser-used -+- security-cookie =0 -+- 2001-10-11:10 -+- System Administration -+- EZ Email Security With Stunnel -+- rndgui57@directvinternet.com -+- Pat Parsons -+- -+- nolink -+- English -+- -+- Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) -+- 8784
This is a little crash course in how to setup email over SSL painlessly using Stunnel. First you need to have installed a mail transfer agent to handle the SMTP portion of the mail. Then you need to have installed either an IMAP server or a POP3 server. Many distributions come with Stunnel, if yours does not you can get it from http://www.stunnel.org. Stunnel requires that you have OpenSSL or SSLeay installed first. This should come with your distribution. Generally if you have SSH installed you also have a SSL library.
Get and install Stunnel. I am not going into detail on that because if you are at this point you probably already know how to do so. Make a SSL certificate for use with Stunnel. OpenSSL provides a makefile to do just that. In my distribution it is located in /usr/share/ssl/certs . CD to that directory and type make stunnel.pem to create the certificate that is named stunnel.pem. Now you need to a few lines to your rc.local file to start Stunnel at bootup (assuming you ever reboot that is) these lines are:
/usr/sbin/stunnel -d 995 -r 110
/usr/sbin/stunnel -d 465 -r 25
This will start stunnel listening on port 995 for POP3 and 465 for SMTP. Now all you need to do is edit the options for your mail client and there you go. No need to worry about cleartext email passwords. If you are too impatient to wait for the next reboot you can type the commands given previously to start Stunnel right away. There may be some problems with certificate validation for some email clients. Make sure when asked by the makefile you get the server name correct. If your email client will not let you add certificates you may need to change or obtain a certificate from a certification authority. If you cannot get the certificate vaidation worked out there is no way to ensure that you are connecting to the correct machine. Have a nice day.