Mail User Agent s

Red Hat Enterprise Linux offers a variety of email programs, both, graphical email client programs, such as Evo lu t io n , and text-based email programs such as mutt.

The remainder of this section focuses on securing communication between a client and a server.

12.5.1. Securing Communicat ion

Popular MUAs included with Red Hat Enterprise Linux, such as Evo lu t io n and Mu t t offer SSL-encrypted email sessions.

Like any other service that flows over a network unencrypted, important email information, such as user names, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard P O P and IMAP protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting user names and passwords as they are passed over the network.

1 2 .5 .1 .1 . Se cure Em ail Clie nt s

Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and the server.

SSL is easy to enable on the client-side, often done with the click of a button in the MUA's

configuration window or via an option in the MUA's configuration file. Secure IMAP and P O P have known port numbers (9 9 3 and 9 9 5, respectively) that the MUA uses to authenticate and download messages.

1 2 .5 .1 .2 . Se curing Em ail Clie nt Co m m unicat io ns

Offering SSL encryption to IMAP and P O P users on the email server is a simple matter.

First, create an SSL certificate. This can be done in two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.

Warning

Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate signed by a CA.

To create a self-signed SSL certificate for IMAP or P O P, change to the /etc/pki /d o veco t/

directory, edit the certificate parameters in the /etc/pki /d o veco t/d o veco t-o penssl . cnf configuration file as you prefer, and type the following commands, as ro o t:

dovecot]# rm -f certs/d o veco t. pem pri vate/d o veco t. pem dovecot]# /usr/l i bexec/d o veco t/mkcert. sh

Once finished, make sure you have the following configurations in your /etc/d o veco t/co nf. d /10 -ssl . co nf file:

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Issue the following command to restart the d o veco t daemon:

~]# systemctl restart d o veco t

Alternatively, the stunnel command can be used as an encryption wrapper around the standard, non-secure connections to IMAP or P O P services.

The stunnel utility uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and to protect the network connections. It is recommended to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.

See Using stunnel in the Red Hat Enterprise Linux 7 Security Guide for instructions on how to install stunnel and create its basic configuration. To configure stunnel as a wrapper for IMAP S and P O P 3S, add the following lines to the /etc/stunnel /stunnel . co nf configuration file:

[pop3s]

accept = 995 connect = 110

[imaps]

accept = 993 connect = 143

The Security Guide also explains how to start and stop stunnel. Once you start it, it is possible to use an IMAP or a P O P email client and connect to the email server using SSL encryption.

12.6. Addit ional Resources

The following is a list of additional documentation about email applications.

12.6.1. Inst alled Document at ion

Information on configuring Sendmail is included with the sendmail and sendmail-cf packages.

/usr/share/send mai l -cf/R EAD ME — Contains information on the m4 macro processor, file locations for Sendmail, supported mailers, how to access enhanced features, and more.

In addition, the send mai l and al i ases man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail /etc/mai l /al i ases file.

/usr/share/d o c/po stfi x-version-number/ — Contains a large amount of information on how to configure Postfix. Replace version-number with the version number of Postfix.

/usr/share/d o c/fetchmai l -version-number — Contains a full list of Fetchmail features in the FEAT UR ES file and an introductory FAQ document. Replace version-number with the version number of Fetchmail.

/usr/share/d o c/pro cmai l -version-number/ — Contains a R EAD ME file that provides an overview of Procmail, a FEAT UR ES file that explores every program feature, and an FAQ file with answers to many common configuration questions. Replace version-number with the version number of Procmail.

When learning how Procmail works and creating new recipes, the following Procmail man pages are invaluable:

pro cmai l — Provides an overview of how Procmail works and the steps involved with filtering email.

pro cmai l rc — Explains the rc file format used to construct recipes.

pro cmai l ex — Gives a number of useful, real-world examples of Procmail recipes.

pro cmai l sc — Explains the weighted scoring technique used by Procmail to match a particular recipe to a message.

/usr/share/d o c/spamassassi n-version-number/ — Contains a large amount of information pertaining to SpamAssassin. Replace version-number with the version number of the spamassassin package.

12.6.2. Useful Websit es

http://www.sendmail.org/ — Offers a thorough technical breakdown of Sendmail features, documentation and configuration examples.

http://www.sendmail.com/ — Contains news, interviews and articles concerning Sendmail, including an expanded view of the many options available.

http://www.postfix.org/ — The Postfix project home page contains a wealth of information about Postfix. The mailing list is a particularly good place to look for information.

http://www.fetchmail.info/fetchmail-FAQ.html — A thorough FAQ about Fetchmail.

http://www.procmail.org/ — The home page for Procmail with links to assorted mailing lists dedicated to Procmail as well as various FAQ documents.

http://www.uwasa.fi/~ts/info/proctips.html — Contains dozens of tips that make using Procmail much easier. Includes instructions on how to test . pro cmai l rc files and use Procmail scoring to decide if a particular action should be taken.

http://www.spamassassin.org/ — The official site of the SpamAssassin project.

12.6.3. Relat ed Books

Sendmail Milters: A Guide for Fighting Spam by Bryan Costales and Marcia Flynt; Addison-Wesley — A good Sendmail guide that can help you customize your mail filters.

Sendmail by Bryan Costales with Eric Allman et al.; O'Reilly & Associates — A good Sendmail reference written with the assistance of the original creator of Delivermail and Sendmail.

Removing the Spam: Email Processing and Filtering by Geoff Mulligan; Addison-Wesley Publishing Company — A volume that looks at various methods used by email administrators using

established tools, such as Sendmail and Procmail, to manage spam problems.

Internet Email Protocols: A Developer's Guide by Kevin Johnson; Addison-Wesley Publishing Company — Provides a very thorough review of major email protocols and the security they provide.

Managing IMAP by Dianna Mullet and Kevin Mullet; O'Reilly & Associates — Details the steps required to configure an IMAP server.