Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
Prev	Chapter 23. Linux IMAP & POP Server	Next

23.3. Enable IMAP or POP via the tcp-wrappers inetd super server

Tcp-wrappers take cares to start and stop IMAP or POP server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is /etc/inetd.conf. There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space.

Edit the inetd.conf file, vi /etc/inetd.conf and add or uncomment the line related to the service you want to enable. If you want to use IMAP then uncomment the line related to it, if is POP that you want to use in your server, then uncomment it instead of IMAP. In our example below we'll use IMAP service.
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d imap stream tcp nowait root /usr/sbin/tcpd imapd

Don't forget to update your inetd.conf file by sending a SIGHUP signal killall -HUP inetd after adding or uncommenting the corresponding line.
[root@deep /root]# killall -HUP inetd
If the IMAP/POP server you want to install is a private and limited server for wheel knows real IP address clients, you can use the security feature of tcp-wrappers to control, which can connect, to your server and from where. If you intended to offer mail service to a dial-up clients or a Webmail service for example, then you cannot use this feature. Edit the hosts.deny file, vi /etc/hosts.deny and add the line:
ALL: ALL@ALL, PARANOID
Which means all services, all locations, so any service not explicitly allowed is then blocked, unless they are permitted access by entries in the hosts.allow file.
Edit the hosts.allow file, vi /etc/hosts.allow and add the line:
imapd: 216.209.228.34 my.domain.com
Which mean only client IP 216.209.228.34 with host name my.domain.com is allowed to connect and use IMAP service on the server.

23.3.1. Securing IMAP/POP

Do you really need IMAP/POP service?

Do you really need IMAP/POP service?

Be aware that IMAP/POP programs use plain text passwords by default. Anyone running a sniffer program along your network path can grab your username/password and use them to log in as you. It's not because you use an IMAP/POP mail reader on your LINUX system that you need to run an IMAP/POP server locally. Check your configuration, and if you use a remote/external IMAP/POP server then uninstall IMAP/POP on your system.

Sniffer attack?

Using SSL capabilities over IMAP/POP

Unfortunately, due to US government export restrictions, the IMAP toolkit with SSL capability is currently not available. There are packages available from third parties that allow IMAP and POP3 sessions through SSL. One of these packages is WebMail IMP, a web interface that permits you to read your mail via the Internet with a web browser. WebMail IMP uses the SSL protocol to encrypt the communication with the IMAP/POP server. See part IV, Software's-Related Reference, in Chapter 19, Servers Software (Web Network Services) for more information on the topic.

Webmail-IMP web browser interface

With WebMail IMP, communications from the mail server through to the client machine are encrypted with the SSL protocol using a web browser.

Further documentation, for more details, there are several man pages you can read:

imapd(8C): - Internet Message Access Protocol server
ipopd(8C): - Post Office Protocol server

Prev	Home	Next
Configure to tweak	Up	Installed files