Securing the POP and IMAP Daemons in Linux



For mail servers that collect all incoming mail for an organization, a common means to deliver the mail to clients is for them to retrieve the mail using the Post Office Protocol (POP) or the Internet Message Access Protocol (IMAP). POP (also called POP3) is the older and less complicated of the two protocols, providing basic commands for authentication, retrieval and deletion of mail messages from the mail server. IMAP is more flexible and supports creating, deleting and renaming mail folders (mailboxes), searching, selective retrieval of message attributes and more.

Get the Latest Version of POP and IMAP Daemons

Unfortunately, many POP and IMAP daemon implementations have been plagued with vulnerabilities that lead to remote root compromises of mail servers on various platforms. There are several well-known exploit programs for cracking vulnerable Linux POP and IMAP daemons. It is generally considered a good practice to always use the most current and stable release of any daemons and this is no exception.

Most newer POP and IMAP daemons currently available will offer support for secure retrieval of messages. This is most commonly done with TLS/SSL that requires the use of OpenSSL and the creation of a certificate. Qpopper, for example, is a POP daemon that offers TLS/SSL.

Control Access to POP and IMAP with TCP Wrappers

POP/IMAP is traditionally run out of xinetd, so access control through TCP wrappers is easy to configure and adds an important element of security. Limit access to only those hosts that have a legitimate need for the service. For a central mail hub that holds mail for the entire mailserver.com domain and the 192.168.x.x network and delivers it to clients via POP3 or IMAP, modify /etc/hosts.allow to reflect the following changes:

ipop3d: .mailserver.com 192.168.
imapd: .mailserver.com 192.168.