Secure IMAP (and POP3)

v 2.6
26 November 2001

Roberto Cecchini

Versione in italiano

1. expand the tar file in /usr/local

2. follow the simple instructions: basically configure, make platform, make test and make install.
   Beware: according to my personal experience, it is much better to use the gnu compiler.

1. copy the configuration file srv.cnf in /usr/local/ssl/lib/ (if you chose the standard installation).

2. generate the certificate request:

   > cd /usr/local/ssl/certs
   > /usr/local/ssl/bin/openssl req -new -nodes -out req.pem \
    -keyout key.pem -config /usr/local/ssl/lib/srv.cnf
   
   Using configuration from /usr/local/ssl/lib/srv.cnf
   Generating a 1024 bit RSA private key
   .......................+++++
   .........................+++++
   writing new private key to 'key.pem'
   -----
   You are about to be asked to enter information that will be 
   incorporated into your certificate request.
   What you are about to enter is what is called 
   a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [IT]:
   INFN (accettare il default!) [INFN]:
   Locality Name (p.e. Firenze) []:Firenze
   Organization Name (p.e. Sezione di Firenze) []:Sezione di Firenze
   Server type [Server IMAP]:
   Server name (p.e. postino.fi.infn.it) []:postino.fi.infn.it
   Email Address []:cecchini@fi.infn.it
   
   > chmod 600 key.pem
   

   key.pem contains the server private key in plain text!

3. send req.pem to the CA, which will send you back the certificate.

4. create the file (using an editor) /usr/local/ssl/certs/stunnel.pem, which contains key.pem and the server ceriticate. Insert a blank line between the two parts and another one at the bottom.

5. delete req.pem and key.pem and protect (chmod 600) stunnel.pem, which now contains the server private key in plain text.

   stunnel -d 993 -p /usr/local/ssl/certs/stunnel.pem -r localhost:imap
   stunnel -d 995 -p /usr/local/ssl/certs/stunnel.pem -r localhost:pop

It isn't necessary that the browsers contain the certificate of the CA which signed the server certificate. Of course it is better if they do.

For the e-mail clients which don't support SSL:

1. install stunnel on the client machine;

2. if you want to check the server certificate (optional, but recommended), copy the server CA certificate in /usr/local/ssl/certs/CAcert.pem and:

      > cd /usr/local/ssl/certs/
      > ln -s CAcert.pem `/usr/local/ssl/bin/openssl x509 \
            -noout -hash < CAcert.pem`.0
   

3. run stunnel using the command (tipically during the startup):

      > stunnel -c -v 2 -d 143 -r imap_server:993
      > stunnel -c -v 2 -d 110 -r pop3_server:995
   

   where the option -v 2 has to be specified only if you executed the previous point.

4. Configure the e-mail client so that it accesses the imap (or pop3) port of localhost.

It isn't necessary that the browsers contain the certificate of the CA which signed the server certificate. Of course it is better if they do.

For the e-mail clients which don't support SSL:

1. install stunnel on the client machine;
   1. download winstun.zip
   2. extract ssleay32.dll, libeay32.dll and stunnel.exe in the same directory (if you prefer, the dlls can be moved in \windows\system).

2. run stunnel using the command:

      stunnel -c -d 143 -r imap_server:993
      stunnel -c -d 110 -r pop3_server:995
   

3. Configure the e-mail client so that it accesses the imap (or pop3) port of localhost.