[ Team LiB ] Previous Section Next Section

Recipe 8.11 Securing POP/IMAP with SSL and Pine

8.11.1 Problem

You want to secure your POP or IMAP email session. Your mail client is pine, and your mail server supports SSL.

8.11.2 Solution

Test whether you can use STARTTLS, as explained in SSL for Securing Mail:

$ pine -inbox-path='{mail.server.net/user=fred/protocol}'

replacing protocol with either pop or imap as desired. One of three outcomes will occur:

  1. You get no connection. In this case, you cannot use STARTTLS; move on and try SSL-port, below.

  2. You get a connection, but the login prompt includes the word INSECURE:

    HOST: mail.server.net (INSECURE)  ENTER LOGIN NAME [fred] :

    In this case, you again cannot use STARTTLS; move on and try SSL-port, below.

  3. You get a connection and the login prompt does not say INSECURE. In this case, congratulations, you have a secure mail connection. You are done.

If you could not use STARTTLS as shown, try the SSL-port method:

$ pine -inbox-path='{mail.server.net/user=fred/protocol/ssl}'

again replacing protocol with either pop or imap as appropriate.

To ensure you have a secure connection (i.e., to forbid pine to engage in weak authentication, unless it's over a secure connection), add /secure to your inbox-path. For example:

$ pine -inbox-path='{mail.server.net/user=fred/imap/secure}'

If none of this works, your ISP does not appear to support IMAP over SSL in any form; try SSH instead. [Recipe 8.16]

8.11.3 Discussion

You might be able to simplify the mailbox specifications; for instance:

{mail.server.net/user=fred/imap}

could be simply {mail} instead: IMAP is the default, the usernames on both sides are assumed to be the same if unspecified, and your DNS search path may allow using the short hostname.

8.11.4 See Also

pine(1).

SSL Connection Problems: Server-Side Debugging

If you have access to the system logs on the mail server, you can examine them to debug SSL connection problems, or just to verify what's happening. In /var/log/maillog, successful SSL-port-style connections look like this:

Mar  7 16:26:13 mail imapd[20091]: imaps SSL service init from 209.225.172.154
Mar  7 16:24:17 mail ipop3d[20079]: pop3s SSL service init from 209.225.172.154

as opposed to these, indicating no initial use of SSL:

Mar  7 16:26:44 mail imapd[20099]: imap service init from 209.225.172.154
Mar  7 16:15:47 mail ipop3d[20018]: pop3 service init from 209.225.172.154

Note, however, that you cannot distinguish the success of STARTTLS-style security this way.

Another way of verifying the secure operation is to watch the mail protocol traffic directly using tcpdump [Recipe 9.16] or Ethereal [Recipe 9.17]. Ethereal is especially good, as it understands all the protocols involved here and will show exactly what's happening in a reasonably obvious fashion.
    [ Team LiB ] Previous Section Next Section