Clicky

20140911

stunnel, hMailserver's security panacea

UPDATE 17-Oct-2014: The POODLE attack has made SSLv3 vulnerable. The stunnel.conf configuration below is modified to disable SSLv3 too.

I am using hMailserver to handle the mail for my email domains. hMailserver has an option to secure the email traffic with SSL. Under the hood it is using OpenSSL for that.

There is a small problem with this configuration:  weak encryption is enabled in hMailserver. It seems that the SSL configuration is hardcoded in hMailserver, I needed a better method to establish and maintain SSL sessions to my mailserver.

An attacker is able to read emails when SSLv2 is used
To make a long story short, stunnel (http://www.stunnel.org) solves this problem. stunnel is an SSL wrapper also based on OpenSSL. It is very flexible and highly configurable. In this case we want to tunnel IMAP and SMTP traffic in an SSL tunnel.

There are only two steps to make hMailserver only accessible through very secure SSL communications.

1. Remove the SSL support in hMailserver

Go to your hMailserver console and remove all SSL protocols leaving only IMAP (port 143) and SMTP (port 25):


2. Add and configure stunnel

Download stunnel (https://www.stunnel.org/downloads/stunnel-5.03-installer.exe) and install in the default or other folder. Have are create the Private Key, Server Certificate (and root certificate) PEM file. Make an stunnel configuration file. 

This  is an example stunnnel.conf:

; Debugging stuff (may useful for troubleshooting)
; 5=normal
; 7=debug
; See:http://www.stunnel.org/static/stunnel.html
debug = 5
output = m:\log\stunnel.log

; Initialize Microsoft CryptoAPI interface
engine = capi

; Certificate/key is needed in server mode and optional in client mode
cert = hmailserver.domain.com.pem
key = hmailserver.domain.com.pem

; Security configuration no.1...
; Disable support for insecure SSLv2 protocol...
options = NO_SSLv2
; Disable also SSLv3 against the POODLE attack...
options = NO_SSLv3

; Security configuration no.2: Allow only stong ciphers...
; Normally the next configuration is secure (enough):
; ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
; However if you are really paranoid, allow only strongest:
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA

; Security configuration no.3...; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

[imap]
client = no
accept = 993
connect = 143

[smtp]
client = no
accept = 465
connect = 25

Test the config file with the stunnel GUI (stunnel startmenu:"stunnel GUI start").This enables to check the logfile on screen for errors. When this works fine, install the stunnel services (stunnel startmenu:"stunnel Service Install"). Start the stunnel service and check the connectivity.

When everything works hMailserver is only accessible through strong encryption protocols:

stunnels's strong encryption prevents attackers to read your email

Happy emailing!

No comments :

Post a Comment

Real Time Web Analytics