This howto will describe the basic steps necessary to configure a Debian GNU/Linux system to provide IMAP email access with SSL encryption for a single domain. The Dovecot IMAP server will be used to provide email services. As the process varies by vendor, the exact steps necessary to obtain a certificate will not be covered in this post. However, details on creating a self-signed certificate for use on a non-production server will be covered.
Install the Dovecot IMAP server using the aptitude software package management utility.
# aptitude install dovecot-common dovecot-imapd
Option 1 – Production IMAP Server
For a production IMAP server, copy your key pair and certificate to the Debian GNU/Linux system. Ensure that Dovecot has read access to them.
# cp YourKeyPair.pem /etc/ssl/private/dovecot.key # cp YourCertificate.pem /etc/ssl/certs/dovecot.crt # cd /etc/ssl/private # chown root:dovecot dovecot.pem # chmod 440 dovecot.pem # cd /etc/ssl/certs # chown root:dovecot dovecot.pem # chmod 440 dovecot.pem
Option 2 – Non-Production Test IMAP Server
For a non-production test IMAP server, create a new key pair and self-signed certificate with OpenSSL. Copy the key pair and certificate to the Debian GNU/Linux system. Ensure that Dovecot has read access to them.
# openssl genrsa -out dovecot.key 1024 Generating RSA private key, 1024 bit long modulus ...........++++++ ..........++++++ e is 65537 (0x10001) # openssl req -new -key dovecot.key -out dovecot.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:YourState Locality Name (eg, city) :YourCity Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany Organizational Unit Name (eg, section) :MIS Common Name (eg, YOUR name) :hostname.yourdomain.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :password An optional company name : # openssl x509 -req -days 365 -in dovecot.csr \ > -signkey dovecot.key -out dovecot.crt Signature ok subject=/C=US/ST=YourState/L=YourCity/O=YourCompany /OU=MIS/CN=hostname.yourdomain.com/emailAddressfirstname.lastname@example.org Getting Private key # cp dovecot.key /etc/ssl/private/ # cp dovecot.crt /etc/ssl/certs/ # cd /etc/ssl/private # chown root:dovecot dovecot.key # chmod 440 dovecot.key # cd /etc/ssl/certs # chown root:dovecot dovecot.crt # chmod 440 dovecot.crt
Modify the Dovecot IMAP server configuration file /etc/dovecot/dovecot.conf to reflect the following settings. Ensure that you set the ssl_key_password attribute to match the password used with your key pair and certificate.
protocols = imaps syslog_facility = mail ssl_disable = no ssl_cert_file = /etc/ssl/certs/dovecot.crt ssl_key_file = /etc/ssl/private/dovecot.key ssl_key_password = password ssl_verify_client_cert = no ssl_cipher_list = ALL:!LOW
Restart the Dovecot IMAP server for the new settings to take effect.
# /etc/init.d/dovecot restart
To test the newly configured secure IMAP server, attempt to connect to it using SSL. This can be done locally on the IMAP server using the mutt CLI email client. Login with an existing username and password. NOTE: If you are using a self-signed certificate mutt will display a warning message, simply select "Always Accept Certificate".
# mutt -f imaps://username@localhost/