Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed, all without the knowledge of the email server or client. When using standard POP and IMAP protocols, all authentication information is sent "in the clear," meaning that someone on a network between the client and the remote server can easily view it.
Thankfully, most Linux MUAs designed to check email on remote servers support SSL to encrypt messages as they are sent back and forth over the network. In order to use SSL when retrieving email, it must be enabled on the email client and server.
SSL is usually very easy to enable on the client-side, often done with the click of a button in the MUA's configuration area. Secure IMAP and POP have known port numbers (993 and 995, respectively) that the MUA will use to authenticate and download messages.
Popular MUAs included with Red Hat Linux, such as Mozilla Mail, Mutt, and Pine, offer SSL-encrypted email sessions.
Offering SSL encryption to IMAP and POP users on the email server is almost as easy. Red Hat Linux also includes the stunnel package, which is an SSL encryption wrapper that wraps around standard, non-secure network traffic for certain services and prevents interceptors from being able to "sniff" the communication between client and server. While stunnel can be used with more than email communication, it really shines when providing protection for normally insecure email protocols.
The stunnel program uses external SSL libraries, such as the OpenSSL libraries included with Red Hat Linux, to provide strong cryptography and protect your connections. You can apply to a Certificate Authority (CA) for an SSL certificate, or you can create a self-signed certificate to simply provide the benefit of the SSL encrypted communication.
To create a self-signed SSL certificate, change to the /usr/share/ssl/certs directory, type the make stunnel.pem command, and answer the questions. Then, use stunnel to start the mail daemon that you wish to use.
For example, the following command could be used to start the IMAP server included with Red Hat Linux:
/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd
You should now be able to open an IMAP email client and connect to your email server using SSL encryption. Of course, you will probably want to go a step further and configure your stunnel-wrapped IMAP server to automatically start up at the correct runlevels.
For more information about how to use stunnel, read the stunnel man page or refer to the documents in the /usr/share/doc/stunnel-<version-number> directory.
Alternatively, the imap package bundled with Red Hat Linux contains the ability to provide SSL encryption on its own without stunnel. For secure IMAP connections, create the SSL certificate by changing to the /usr/share/ssl/certs directory and running the make imapd.pem command. Then, set the imaps service to start at the proper runlevels and restart xinetd to enable the service.
You can also use the ipop3 package bundled with Red Hat Linux to provide SSL encryption on its own without stunnel.