White paper - Use of POP3 over secure ports.

Introduction:
In the business world email is now our most important and timely form of communications.
Most of the email sent today is sent using standard protocols without using encryption or
authentication. Sending an email without encryption or through insecure protocols like
pop3 (110) SM!" (#$) is much like sending a postcard through the "ostal Ser%ice& it can
be read by e%eryone who handles it on his way through the system from the sender to the
recei%er. 'mail security today hence becomes the area of concern for all Information
Security teams securing corporate information. !he process of using means such as email
encryption& use of secure ports to send messages that can only be opened and read by the
intended recipient. "erhaps better place to strengthen security o%er network is securing your
'(mail tra)c.
Email communication brief*
+et us brie,y understand the incoming outgoing email ser%er communication. !he
incoming mail ser%er is the ser%er associated with your email address account. !here cannot
be more than one incoming mail ser%er for an email account. In order to access your
incoming messages& you need an email client* a program that can retrie%e email from an
email account& allowing a user to read& forward& delete& and reply to email messages.
-epending on your mail ser%er& you can use a dedicated email client (like .utlook '/press)
or a web browser (like Internet '/plorer& Mo0illa for accessing web based email accounts&
like 1ahoo& 2mail). !he mail is held in storage on the incoming mail ser%er until you
download it. .nce you ha%e downloaded your mail from the mail ser%er it cannot be
downloaded again. In order to download your 'mail& you must ha%e the correct settings
con3gured in your 'mail client program. Most incoming mail ser%ers are using one of the
following protocols* IM4"& "."3 and 5!!".
Security oncern over POP3:
6hat makes the email communication secure is the use of protocols ports enabled on +47
8 647 interfaces. !he POP ("ost .)ce "rotocol) ("."# (109) and "."3 (110)) works using
te/t commands sent to the mail ser%er. 'ach of these commands sent by the client
comprises a key word& possibly accompanied by one or se%eral arguments and is followed by
a response from the mail ser%er comprising of a number and a descripti%e message.
:rom the email security perspecti%e "."3 con3gured in +478 647 en%ironment is insecure
since "."3 is based on a clear username 8 password transmission and a system running a
"."3 ser%er may be %ulnerable to a brute force attack against usernames8passwords. !he
usage of basic open source password sni;ers allow easy retrie%ing of password credentials
for any user generating tra)c on same +47 8 647.
!o see an e/ample of this in action& here is a "."3 session login sni;ed on an insecure +47
network.
Solution*
It is %ery important that "."3 tra)c is secured if we plan to use it for email access in your
+478 647 en%ironment. 6ith the sending of secure email comes the recei%ing of secure
email as well. .ne method used to accomplish this is Secure "."3 ("."3S) and Secure SM!"
(SM!"S).
.ne of the methods that can be utili0ed is using "."3 o%er SS+. !his a free& open source
implementation of Secure Socket +ayers (SS+) the same encryption layer that is used for
standard& secure Internet based secure e(commerce transactions. !his method uses port 99$
for "."3(o%er(SS+ and port <=$ for SM!"(o%er(SS+ and for those using IM4" it uses port 993
for IM4"(o%er(SS+ communication. .ne of the key things that can be done is using stunnel to
create a secure channel for all of the "."3 data to be e/changed. !his stunnel re>uires a
piece of data called a ?erti3cate be generated. !his certi3cate is then used to %alidate and
e/change information from de%ice to de%ice. !hese certi3cates can be purchased from
pro%iders like ?4& 2odaddy etc.
Secure Ports
Incoming "orts
Secure "."3 ( port 99$ (Secured "."3 (!+S8SS+) @was spop3A. SS+(encrypted "."3
ser%ice for encrypted mail transfer.)
Secure IM4" ( port 993
.utgoing Secure "orts
!he outgoing mail is always SM!"& whether using IM4" or ".".
Secure SM!" ( port <=$
4 secure "."3 ser%er re>uires these components. 'ach component must be bug(free and
non(e/ploitable*
"."3 ser%er software
.penSS+ installation
Stunnel& SS+ wrapper
Bnderlying system& kernel& con3guration
If you already ha%e a "."3 ser%er running on port 110 and want to pro%ide a secure %ersion
which SS+(capable clients can access on port 99$. !he nifty piece of software which makes
this possible is Stunnel. .nce the con3guration is complete one has to run CstunnelC and it
will run as a daemon in the background& accepting SS+ connections on port 99$ and passing
them through to your pop3 ser%er on port 110. If
e%erything works smooth you can modify your system initiali0ation scripts to run stunnel on
startup. :or further more security& you can 3rewall your system so that clients outside your
network can only access the secure ser%er on port 99$ and not the plainte/t %ersion on port
110.