Product SiteDocumentation Site

13.5. メールユーザーエージェント

Fedora offers a variety of email programs, both, graphical email client programs, such as Evolution, and text-based email programs such as mutt.
The remainder of this section focuses on securing communication between a client and a server.

13.5.1. 通信のセキュリティ

Popular MUAs included with Fedora, such as Evolution and mutt offer SSL-encrypted email sessions.
Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard POP and IMAP protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting usernames and passwords as they are passed over the network.

13.5.1.1. 安全な電子メールクライアント

Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and the server.
SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration window or via an option in the MUA's configuration file. Secure IMAP and POP have known port numbers (993 and 995, respectively) that the MUA uses to authenticate and download messages.

13.5.1.2. 安全な電子クライアント通信

Offering SSL encryption to IMAP and POP users on the email server is a simple matter.
First, create an SSL certificate. This can be done in two ways: by applying to a Certificate Authority (CA) for an SSL certificate or by creating a self-signed certificate.

自己署名証明書の使用を避けてください

自己署名付き証明書は、テスト目的の為にのみ使用すべきものです。生産環境で使用するサーバーはすべて CA により認可された SSL 証明書を使用すべきです。
To create a self-signed SSL certificate for IMAP or POP, change to the /etc/pki/dovecot/ directory, edit the certificate parameters in the /etc/pki/dovecot/dovecot-openssl.conf configuration file as you prefer, and type the following commands, as root:
dovecot]# rm -f certs/dovecot.pem private/dovecot.pem
dovecot]# /usr/libexec/dovecot/mkcert.sh
Once finished, make sure you have the following configurations in your /etc/dovecot/conf.d/10-ssl.conf file:
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
Execute the systemctl restart dovecot.service command to restart the dovecot daemon.
Alternatively, the stunnel command can be used as an SSL encryption wrapper around the standard, non-secure connections to IMAP or POP services.
The stunnel utility uses external OpenSSL libraries included with Fedora to provide strong cryptography and to protect the network connections. It is recommended to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.

stunnel パッケージのインストール

In order to use stunnel, first ensure the stunnel package is installed on your system by running, as root:
yum install stunnel
Yum を用いたパッケージのインストールに関する詳細は「パッケージのインストール」を参照してください。
自己署名 SSL 証明書を作成するには、/etc/pki/tls/certs/ ディレクトリに変更して、以下のコマンドを入力します:
certs]# make stunnel.pem
すべての質問に答えると作業を完了します。
Once the certificate is generated, create an stunnel configuration file, for example /etc/stunnel/mail.conf, with the following content:
cert = /etc/pki/tls/certs/stunnel.pem

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143
Once you start stunnel with the created configuration file using the /usr/bin/stunnel /etc/stunnel/mail.conf command, it will be possible to use an IMAP or a POP email client and connect to the email server using SSL encryption.
For more information on stunnel, refer to the stunnel man page or the documents in the /usr/share/doc/stunnel-version-number / directory, where version-number is the version number of stunnel.