UPDATE 17-Oct-2014: The POODLE attack has made SSLv3 vulnerable. The stunnel.conf configuration below is modified to disable SSLv3 too.
I am using hMailserver to handle the mail for my email domains. hMailserver has an option to secure the email traffic with SSL. Under the hood it is using OpenSSL for that.
There is a small problem with this configuration: weak encryption is enabled in hMailserver. It seems that the SSL configuration is hardcoded in hMailserver, I needed a better method to establish and maintain SSL sessions to my mailserver.
An attacker is able to read emails when SSLv2 is used
To make a long story short, stunnel (http://www.stunnel.org) solves this problem. stunnel is an SSL wrapper also based on OpenSSL. It is very flexible and highly configurable. In this case we want to tunnel IMAP and SMTP traffic in an SSL tunnel.
There are only two steps to make hMailserver only accessible through very secure SSL communications.
1. Remove the SSL support in hMailserver
Go to your hMailserver console and remove all SSL protocols leaving only IMAP (port 143) and SMTP (port 25):
; Debugging stuff (may useful for troubleshooting) ; 5=normal ; 7=debug ; See:http://www.stunnel.org/static/stunnel.html debug = 5 output = m:\log\stunnel.log ; Initialize Microsoft CryptoAPI interface engine = capi ; Certificate/key is needed in server mode and optional in client mode cert = hmailserver.domain.com.pem key = hmailserver.domain.com.pem ; Security configuration no.1... ; Disable support for insecure SSLv2 protocol... options = NO_SSLv2 ; Disable also SSLv3 against the POODLE attack... options = NO_SSLv3 ; Security configuration no.2: Allow only stong ciphers... ; Normally the next configuration is secure (enough): ; ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ; However if you are really paranoid, allow only strongest: ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA ; Security configuration no.3...; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE [imap] client = no accept = 993 connect = 143 [smtp] client = no accept = 465 connect = 25
Test the config file with the stunnel GUI (stunnel startmenu:"stunnel GUI start").This enables to check the logfile on screen for errors. When this works fine, install the stunnel services (stunnel startmenu:"stunnel Service Install"). Start the stunnel service and check the connectivity.
When everything works hMailserver is only accessible through strong encryption protocols:
stunnels's strong encryption prevents attackers to read your email