Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed, all without the knowledge of the email server or client. When using standard POP and IMAP protocols, all authentication information is sent "in the clear," meaning that someone on a network between the client and the remote server can easily view it.

Secure Email Clients

Thankfully, most Linux MUAs designed to check email on remote servers support SSL to encrypt messages as they are sent back and forth over the network. In order to use SSL when retrieving email, it must be enabled on the email client and server.

SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration area. Secure IMAP and POP have known port numbers (993 and 995, respectively) that the MUA will use to authenticate and download messages.

Popular MUAs included with Red Hat Linux, such as Mozilla Mail, mutt, and pine, offer SSL-encrypted email sessions.

Secure Email Servers

Offering SSL encryption to IMAP and POP users on the email server is almost as easy. Red Hat Linux also includes the stunnel package, which is an SSL encryption wrapper that wraps around standard, non-secure network traffic for certain services and prevents interceptors from being able to "sniff" the communication between client and server.

The stunnel program uses external SSL libraries, such as the OpenSSL libraries included with Red Hat Linux, to provide strong cryptography and protect your connections. You can apply to a Certificate Authority (CA) for an SSL certificate, or you can create a self-signed certificate to provide the benefit of the SSL encrypted communication.

To create a self-signed SSL certificate, change to the /usr/share/ssl/certs/ directory, type the make stunnel.pem command, and answer the questions. Then, use stunnel to start the mail daemon that you wish to use.

For example, the following command could be used to start the IMAP server included with Red Hat Linux:

/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd

You should now be able to open an IMAP email client and connect to your email server using SSL encryption. Of course, you will probably want to go a step further and configure your stunnel-wrapped IMAP server to automatically start up at the correct runlevels.

For more information about how to use stunnel, read the stunnel man page or refer to the documents in the /usr/share/doc/stunnel-<version-number> directory.

Alternatively, the imap package bundled with Red Hat Linux contains the ability to provide SSL encryption on its own without stunnel. For secure IMAP connections, create the SSL certificate by changing to the /usr/share/ssl/certs/ directory and running the make imapd.pem command. Then, set the imapd service to start at the proper runlevels.

You can also use the ipop3 package bundled with Red Hat Linux to provide SSL encryption on its own without stunnel.