Securing POP3 Over SSL

by Charlton Rose


If you or other people with accounts on your Unix machine routinely download email from it using the POP3 protocol, then you should heed this fair warning: POP3, like so many other legacy internet protocols, exchanges all data and passwords in the clear. This means that anyone with access to the network path between your server and its clients can discover users' passwords simply by listening in on the network. And since most Unix systems use the same password for email access and shell access, you and your users stand to lose a lot more than exclusive access to your email.

For this reason, it is strongly recommended that you let POP3 operate only through secure channels. Fortunately, Red Hat Linux 7.0, and probably many other linux distributions, now ship with a wonderful tool called Open SSL. This is a free, open source implementation of the Secure Sockets Layer, the same encryption layer that is now the de facto standard for secure, interent-based e-commerce transactions. With just a small amount of effort, you can use Open SSL to secure your system's POP3 transfers to protect them from eavesdropping.

the steps

The POP3 protocol, when directed through an SSL layer, is called POP3S. In the rest of this document, I will describe how you can disable POP3 and replace it with POP3S. Since I am writing this document on the same day that I figured out how to do it myself, I have not had an opportunity to explore implementation techniques on other Unix systems. Instead, I must assume that you, like me, are using Red Hat Linux 7.0 and that you selected "install everything" when you set it up.

Note to non-Red Hat Linux 7.0 users: If these assumptions do not apply to you, then the following instructions may require some adaptation for your platform. If you follow these directions on another platform and experience success, I would like to know about it so I can mention it here. If you had to do things a little differently, please tell me what you had to do so that I can add your wisdom to this document. Many people will no-doubt be grateful for your contribution.

All of these steps must be performed as root.

1. verify Open SSL installation

Determine whether your system has Open SSL installed by typing:

rpm -q openssl

If the package is not installed, grab your Linux disks and install it before continuing. Then, when you're ready, meet me at step 2.

2. disable insecure POP3 daemon

If you are already running the POP3 daemon over an insecure channel (port 110), you should disable it now. Otherwise, people may go on using the insecure method even after you enable the secure method.

If you're not sure whether POP3 is running, try this:

telnet localhost 110

If you get a response, then the daemon is running. Enter "quit" and get ready to turn it off. If, on the other hand, you can't establish a connection to port 110, then POP3 is probably not running; skip to step 3.

To disable POP3, edit the file


and make sure it reads something like this:

service pop3
	disable        = yes
	socket_type    = stream
	wait           = no
	user           = root
	server         = /usr/sbin/ipop3d
	log_on_success += USERID
	log_on_failure += USERID

In particular, make sure that "disable" is set to "yes".

Save your changes, exit your editor, and run:

/etc/rc.d/init.d/xinetd restart

Congratulations! You have just disabled POP3. Now you better hurry up with the rest of these steps before all your users get upset with you!

3. make certificate for stunnel

Our plan is to use stunnel, a utility included with Open SSL, to create a secure channel through which all POP3 data can be exchanged. Before we can do this, however, we need to create a piece of data called a "certificate." You can do this without worrying too much about what this means, and it won't cost you a penny, either.

First, change into the certificates directory:

cd /usr/share/ssl/certs/

Next, run the "stunnel certificate generator" by executing the command:

make stunnel.pem

Now your machine has a mind of its own. Sit back and enjoy the show for a while, until your terminal stops wiggling, and then answer the questions as best you can.

When you are done, you should find the new certificate sitting in the certificates directory.

4. enable POP3S daemon

You're almost done! All you've got to do now is re-enable POP3, but this time over the secure POP3 channel (port 995). This step is very similar to step 2, so if you got through that OK, you shouldn't have a problem here.

in your favorite text editor, open the file


(I recommend against Microsoft Word for this step). Make sure it reads something like:

service pop3s
	disable	       = no
	socket_type    = stream
	wait           = no
	user           = root
	server         = /usr/sbin/stunnel
	server_args    = -l /usr/sbin/ipop3d -- ipop3d
	log_on_success += USERID
	log_on_failure += USERID

In particular, make sure the "disable" property is set to "no".

Next, save your changes, exit the editor, and issue the following command:

/etc/rc.d/init.d/xinetd restart

And that should do it! Grab your favorite SSL-enabled POP3 client and give it a whirl!

Copyright © 2000 Sharkysoft. All rights reserved.

[ Sharkysoft home | more Linux tips ]