HOWTO: Quick & Dirty SSL POP3/SMTP under UNIX

This document assumes you already have a working SMTP and POP3 server and want to add SSL security for your Windows Outlook clients. This process is suprisingly simple. Personally, I've never been able to get the built-in SSL capabilities of qpopper to work, so I turned to SSLWrap by Rick Kaseguma. It's lightweight, very simple, and is easily adapted to other services such as IMAP, even HTTP. (I did get HTTP to work, however apache redirects keep bouncing the client out of https - ApacheSSL is a much better solution.)

First Step
Download and compile SSLWrap. It requires OpenSSL - make sure that's available and properly linked to in your LD_LIBRARY_PATH. The most recent version should be at http://www.rickk.com/sslwrap/sslwrap.tar.gz. There's no "configure" or "make install" just "make all" Copy the "sslwrap" binary somewhere on your system, such as /usr/local/bin.

Create a certificate
For SSL to work properly, you'll need a server certificate. The server requires a certificate and a private key. The public key is encoded into the certificate and used by the client - both of these are automatically sent to the client when an SSL connection is established. You can either use a certificate issued (signed) by a Certificate Authority such as Thawte, or VeriSign, or, create a self-signed certificate. For this example, I am using a self-signed certificate.
/usr/local/ssl/bin/openssl req -x509 -nodes -days 365 -keyout /usr/local/ssl/certs/server.pem -keyout /usr/local/ssl/certs/server.pem

This creates a self-signed certificate and key pair in file /usr/local/ssl/certs/server.pem. Normally you would keep these files separate, however since SSLWrap doesn't run as root, it needs to be readable. Make sure you enter the full server name for "Common Name" It doesn't necessarily need to be the FQDN, an alias is okay, however it needs to be the name you will use to access the server for the SSL connection to be happy.

Next - configure SSL services

First, you'll need to make sure the protocols are defined in /etc/services.
https smtps pop3s 443/tcp 465/tcp 995/tcp

etc..

Next, add the following lines to /etc/inetd.conf:

pop3s stream tcp nowait nobody /usr/local/bin/sslwrap -port 110 -cert /usr/local/ssl/certs/server.pem smtps stream tcp nowait nobody /usr/local/bin/sslwrap -port 25 -cert /usr/local/ssl/certs/server.pem sslwrap sslwrap

Restart inetd for the changes to take effect.

Configure your Windows client

Grab a copy the server.pem file and pull it down to your windows machine. Edit the file, and remove the Private Key data so that the only data in the file is "-----BEGIN CERTIFICATE ...... END CERTIFICATE-----" Rename it to server.crt. Right click on this file and choose Install Certificate. Click through the default options. Since we're using a self-signed certificate, we need to add this certificate to the workstation's root store, making it a trusted certificate. This can be bypassed if you use a certificate signed by a Certificate Authority. This file can be distributed to your other machines as needed. The Private Key data is the information that you must keep private.

Configure Outlook
For the incoming/outgoing server names, enter the server name you used when creating the certificate. On the Advanced tab, check "This server requires a secure conenction (SSL) for both POP3 and SMTP. Make sure both are configured for the correct port - 465 for SMTP, and 995 for POP3.

Rejoice!
Click Send/Receive mail. If all went well, the connection should complete without error. Good luck!