Posted by: jasonk2600 | January 5, 2010

Secure IMAP Server on Debian GNU/Linux

Synopsis

This howto will describe the basic steps necessary to configure a Debian GNU/Linux system to provide IMAP email access with SSL encryption for a single domain.  The Dovecot IMAP server will be used to provide email services.  As the process varies by vendor, the exact steps necessary to obtain a certificate will not be covered in this post.  However, details on creating a self-signed certificate for use on a non-production server will be covered.

Installation

Install the Dovecot IMAP server using the aptitude software package management utility.

# aptitude install dovecot-common dovecot-imapd

Configuration

Option 1 – Production IMAP Server

For a production IMAP server, copy your key pair and certificate to the Debian GNU/Linux system.  Ensure that Dovecot has read access to them.

# cp YourKeyPair.pem /etc/ssl/private/dovecot.key
# cp YourCertificate.pem /etc/ssl/certs/dovecot.crt
# cd /etc/ssl/private
# chown root:dovecot dovecot.pem
# chmod 440 dovecot.pem
# cd /etc/ssl/certs
# chown root:dovecot dovecot.pem
# chmod 440 dovecot.pem

 

Option 2 – Non-Production Test IMAP Server

For a non-production test IMAP server, create a new key pair and self-signed certificate with OpenSSL.  Copy the key pair and certificate to the Debian GNU/Linux system.  Ensure that Dovecot has read access to them.

# openssl genrsa -out dovecot.key 1024
Generating RSA private key, 1024 bit long modulus
...........++++++
..........++++++
e is 65537 (0x10001)

# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:YourState
Locality Name (eg, city) []:YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, YOUR name) []:hostname.yourdomain.com
Email Address []:admin@yourdomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:

# openssl x509 -req -days 365 -in dovecot.csr \
> -signkey dovecot.key -out dovecot.crt
Signature ok
subject=/C=US/ST=YourState/L=YourCity/O=YourCompany 
/OU=MIS/CN=hostname.yourdomain.com/emailAddress=admin@yourdomain.com
Getting Private key

# cp dovecot.key /etc/ssl/private/
# cp dovecot.crt /etc/ssl/certs/
# cd /etc/ssl/private
# chown root:dovecot dovecot.key
# chmod 440 dovecot.key
# cd /etc/ssl/certs
# chown root:dovecot dovecot.crt
# chmod 440 dovecot.crt

 

Modify the Dovecot IMAP server configuration file /etc/dovecot/dovecot.conf to reflect the following settings.  Ensure that you set the ssl_key_password attribute to match the password used with your key pair and certificate.

protocols = imaps
syslog_facility = mail
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.crt
ssl_key_file = /etc/ssl/private/dovecot.key
ssl_key_password = password
ssl_verify_client_cert = no
ssl_cipher_list = ALL:!LOW

 

Restart the Dovecot IMAP server for the new settings to take effect.

# /etc/init.d/dovecot restart

 

Testing

To test the newly configured secure IMAP server, attempt to connect to it using SSL. This can be done locally on the IMAP server using the mutt CLI email client. Login with an existing username and password. NOTE: If you are using a self-signed certificate mutt will display a warning message, simply select "Always Accept Certificate".

# mutt -f imaps://username@localhost/

 

References

 

  [EoF]
About these ads

Responses

  1. Hi JasonK! :-)

    A few comment to make this howto better again:
    – you don’t need to explicitly install “dovecot-common” since it’s a required dependency for “dovecot-imapd” already
    – you should put the “dovecot” user in the “ssl-cert” group, using “adduser dovecot ssl-cert”, to allow it to enter the “/etc/ssl/private” directory, else there no point to allow the “dovecot” group to access some file in it since only “root” and the “ssl-cert” group can enter this directory (but since it works I guess “dovecot” is using “root” access for now)
    – sometime you may have to use TLS instead of SSL, eg for Internet provider filtering reasons; you can still do it with strong security by:
    – allowing the “imap” protocols additionally to the “imaps” one
    – ensuring the “disable_plaintext_auth” option is set to “yes” (it is by default, but it doesn’t harm to put it explicitly)

    Cheers, J.C.

    • Thanks for all the input Jean!

      For conversation’s sake…

      In the default installation of the Dovecot IMAP server, Debian creates a self-signed certificate during installation and has the owner set to root:dovecot. I continued using that owner with a custom certificate in an effort to avoid any compatibility issues in the future.

      I wasn’t concerned with ISP port filtering at the time I wrote this; I was assuming that my audience was using a “business” oriented Internet connection and ISP.

      Thanks for the tips about TLS and disabling the plaintext authorization mechanism, I’ll update the post!

  2. Oh, I forgot something about TLS in dovecot: disabling the plaintext will only ensure the security of the password, but will not enforce TLS (the client may use an other non-plain authentication mechanism) => the communication may still travel in clear text. That may be important in some cases…

  3. […] Debian GNU/Linux system to provide IMAP email access with SSL encryption for a single domain. More here The Dovecot IMAP server will be used to provide email services. As the process varies by vendor, […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: