\m/ -_- \m/: Configure POP/IMAP to use SSL/TLS for secure communication

install dovecot

[root@rhel58-clone1 ~]# yum -y install dovecot
[root@rhel58-clone1 ~]# service dovecot start
[root@rhel58-clone1 ~]# chkconfig dovecot on

[root@rhel58-clone1 ~]# iptables -I RHS333_CHAIN 1 -p tcp --dport 993 -j ACCEPT
[root@rhel58-clone1 ~]# iptables -I RHS333_CHAIN 1 -p udp --dport 993 -j ACCEPT
[root@rhel58-clone1 ~]# iptables -I RHS333_CHAIN 1 -p tcp --dport 995 -j ACCEPT
[root@rhel58-clone1 ~]# iptables -I RHS333_CHAIN 1 -p udp --dport 995 -j ACCEPT

DONT FORGET:

[root@rhel58-clone1 ~]# iptables-save

Set up SSL certificates

OPTION 1: Use the script provided by dovecot to generate a self-signed certificate:

[root@rhel58-clone1 ~]# rpm -ql dovecot | grep mkcert.sh
[root@rhel58-clone1 ~]# cp /usr/share/doc/dovecot-1.0.7/examples/mkcert.sh .
[root@rhel58-clone1 ~]# vi mkcert.sh

OPENSSL=/usr/bin/openssl
SSLDIR=/etc/pki/dovecot
OPENSSLCONFIG=/etc/pki/tls/openssl.cnf

[root@rhel58-clone1 ~]# ./mkcert.sh
/etc/pki/dovecot/certs/dovecot.pem already exists, won't overwrite
[root@rhel58-clone1 ~]# rm -f etc/pki/dovecot/certs/dovecot.pem
[root@rhel58-clone1 ~]# ./mkcert.sh
/etc/pki/dovecot/private/dovecot.pem already exists, won't overwrite
[root@rhel58-clone1 ~]# rm -f /etc/pki/dovecot/private/dovecot.pem
[root@rhel58-clone1 ~]# ./mkcert.sh
Generating a 1024 bit RSA private key
........................................................++++++
.....................................................................++++++
writing new private key to '/etc/pki/dovecot/private/dovecot.pem'
-----

subject= /OU=IMAP server/CN=imap.example.com/emailAddress=postmaster@example.com
SHA1 Fingerprint=45:0F:5E:5A:F1:5D:D5:4D:41:F0:9D:61:43:CA:14:A4:02:5D:1F:4A

OPTION 2:our own csr, signed by our own CA

note: make sure that our CA has been properly set up. Check here

generate an rsa key for dovecot. application rsa keys must not be encrypted (e.g. password protected, des/des3)

[root@rhel58-clone1 ~]# mkdir dovecot; cd dovecot
[root@rhel58-clone1 dovecot]# openssl genrsa -out dovecot.key 2048

generate a certificate signing request

[root@rhel58-clone1 dovecot]# openssl req -new -key dovecot.key -out dovecot.csr

sign with our CA:

[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Sep 14 12:48:54 2012 GMT
            Not After : Sep 14 12:48:54 2013 GMT
        Subject:
            countryName               = SG
            stateOrProvinceName       = Singapore
            organizationName          = EXAMPLE.COM
            commonName                = rhel58-clone1.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B9:62:6E:2E:F0:5D:F9:9C:91:49:C8:BC:A8:0B:3A:C6:F1:70:09:B3
            X509v3 Authority Key Identifier:
                keyid:7E:F5:F4:F1:A5:8A:D5:DD:2C:01:93:FD:78:CA:8C:C0:37:8D:85:63

Certificate is to be certified until Sep 14 12:48:54 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

examine dovecot.conf to know where to copy these files:
defaults:

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

edit to:

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.crt
ssl_key_file = /etc/pki/dovecot/private/dovecot.key

copy the files:

[root@rhel58-clone1 dovecot]# mv dovecot.key /etc/pki/dovecot/private/
[root@rhel58-clone1 dovecot]# mv dovecot.crt /etc/pki/dovecot/certs/

enable imaps/pop3s, start dovecot:

[root@rhel58-clone1 ~]# vi /etc/dovecot.conf

protocols = imaps pop3s

[root@rhel58-clone1 ~]# service dovecot restart
Stopping Dovecot Imap:                                     [  OK  ]
Starting Dovecot Imap:                                     [  OK  ]

TESTING

imaps:

[root@rhel58-clone1 ~]# useradd test01
[root@rhel58-clone1 ~]# echo password | passwd --stdin test01
Changing password for user test01.
passwd: all authentication tokens updated successfully.

from another machine:

[root@rhel58-clone2 ~]# vi .muttrc
set imap_force_ssl=yes
set folder=imaps://test01@rhel58-clone1.example.com
set spoolfile=imaps://test01@rhel58-clone1.example.com/INBOX
set imap_pass=password

run mutt from the remote machine:

This certificate belongs to:
   imap.example.com
   Unknown
   Unknown
   IMAP server
   Unknown

This certificate was issued by:
   imap.example.com
   Unknown
   Unknown
   IMAP server
   Unknown
This certificate is valid
   from Sep 14 11:17:02 2012 GMT
     to Sep 14 11:17:02 2013 GMT

Fingerprint: 04E8 4649 714C D6D2 4CDD BCC5 893B 14D0

pop3s:

[root@rhel58-clone2 ~]# vi .muttrc
set pop_host=pops://test01:password@rhel58-clone1.example.com

[root@rhel58-clone2 ~]# mutt
(hit 'G')

\m/ -_- \m/

Configure POP/IMAP to use SSL/TLS for secure communication

No comments:

Post a Comment

pageviews

My Blog List