<< 17 January 2013 | Home | 19 January 2013 >>

Secure POP3 with stunnel

step 6

Back to the introduction

Now that postfix is up & running, and that xinet is serving a POP3 daemon on port 110, we will oppen a SSL port (995) for remote checking emails, outside the LAN. The typical desired usage is as follows:

  1. Inside the LAN, my desktop computer retrieves email stored on the Pi card by accessing its POP3 service on port 110. This port is closed for outside traffic, so this is a secure and simple way to retrieve emails internally.
  2. From outside the LAN, e.g. from my mobile phone, I access my emails using a POP3S (SSL) service, after opening port 995 for traffic and rerouting traffic on this port, from my router to the Pi card.  I use stunnel to wrap the internal POP3 service into a POP3S servive. Please refer to the stunnel documentation.

Hence here are the steps I am taking:

  1. Install stunnel4 with apt-get
  2. Generate a SSL certificate running:
    sudo openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
    This should give you a self signed cerificate for 365 days. You can change the period of days as you like.
  3. Store this certificate in an apprpriate directory, e.g. /etc/stunnel
  4. In the same directory create a stunnel configuration file corresponding to the pop3 service. In my case I call it pop3s.conf and the relevant content is as follow:
    client = no
    chroot = /var/lib/stunnel4
    setuid = stunnel4
    setgid = stunnel4
    pid = /stunnel4.pid
    debug = 3
    output = /stunnel.log
    cert = /etc/stunnel/stunnel.pem
    
    [pop3s]
    accept  = 995
    connect = 110
    
  5. In order for stunnel4 to be enabled, and to read the configuration files in /etc/stunnel, it is required to change the settings in the main configuration file /etc/default/stunnel4, setting ENABLED=1 (0 is the default).
  6. Now by rebooting the system or by restarting stunnel with:
    sudo /etc/init.d/stunnel4 restart
    the stunnel4 daemon should be up and running. This can be tested with
    ps -e | grep stunnel
    which should results in a bunch of process-ids dedicated to this service.
  7. Check that there is a listening port at 995 with
    netstat -aln | grep 995
    or telnet into it from another PC on the lan
    telnet raspberrypy 995
  8. Finally make sure that the port 995 is open from outside and that your router forward communication through this port to your Pi card. I verify the functioning of my POP3S service from my Android phone using a SSL client on the phone. Typically for the first connection I need to accept the self signed cerificate sent from the Pi card. This is a good sign that is all up & running.