Hits : 12547


Dovecot with SSL 


This super duper mini how to, provides instructions of how you can add ssl support to your dovecot installation.
Before we continue with this, take a quick look to the below link, it'll help you to have a working basic dovecot installation in less than 5min.


Basic Dovecot


Just a quick note: In the very first time, dovecot provides the certificate to an unsecure network traffic. So its easy for someone who listens to your network traffic to find out your password. If you bypass this, then all the traffic from the client to dovecot is over ssl.


top


Certifications


Let's make the ssl keys for our dovecot. Personally i use the below command:


openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem -days 1825 -newkey rsa:4096

Be very carefully with this. If you live in a country that dont appreciate freedom then perhaps you must use this command:


openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825

Common Name: This is very important – so give attention in these crucial times:
The common name must be the hostname (server name) of your mail server.
In my example (and only in my example) common name is localhost !


Country Name (2 letter code) [AU]:GR
State or Province Name (full name) [Some-State]:Athens
Locality Name (eg, city) []:Aigaleo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr
Organizational Unit Name (eg, section) []:Mail Apps
Common Name (eg, YOUR name) []:localhost
Email Address []:ebalaskas@ebalaskas.gr

top


Configuration


The next step is to configure properly the dovecot.conf:


The values that you must change are these:


protocols = imaps
ssl = required
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
 
mail_location = maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/%u/.INBOX # ebal

you should change the keys path to yours, mine is: /opt/certificates/


This is my dovecot -n output:


# 1.2.2: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.30-ARCH i686  ext4
ssl: required
ssl_cert_file: /opt/certificates/dovecot.crt
ssl_key_file: /opt/certificates/dovecot.key
login_dir: /usr/local/var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
first_valid_uid: 300
mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/.INBOX/%u:INDEX=/var/spool/mail/.INDEX/%u:CONTROL=/var/spool/mail/.CONTROL/%u
lda:
  postmaster_address: ebalaskas@ebalaskas.gr
auth default:
  passdb:
    driver: pam userdb:
    driver: passwd

top


Testing


To test your dovecot settings just type in your command prompt this:


dovecot -n

If everything turns ok (why not?) then you should be able to start the dovecot:


dovecot

To test that dovecot listen to imap over ssl you should run this:


openssl s_client -connect 127.0.0.1:993

or


openssl s_client -connect 127.0.0.1:993 -showcerts

There are two commands to test the login proccess:


1 login ebal test
2 LIST "" *


where ebal is the username and test the password of ebal user


If the openssl command successfully open an imap over ssl connection then in the end just type the above commands:


* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready.
1 login ebal test
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH] Logged in 2 LIST "" *
* LIST (\Unmarked) "." "INBOX"
2 OK List completed.

top


Thunderbird


Now the only thing that's left is to proper configure thunderbird.

Reset Thunderbird Certifications


If for any reason you have to delete the file that keeps the certificates for thunderbird,
just type in the command prompt this command:


find ~/.thunderbird/ -type f -name 'cert8.db' -delete


top


Create a new account


From the file menu:


file:01_dovecotssl.jpg


file:02_dovecotssl.jpg


file:03_dovecotssl.jpg


file:04_dovecotssl.jpg


file:05_dovecotssl.jpg


file:06_dovecotssl.jpg


file:07_dovecotssl.jpg


top


Imap over SSL 


Select ssl connection ( TCP/IP port: 993)


file:08_dovecotssl.jpg


Restart thunderbird (just to be sure), and you can see a padlock on the account:


file:09_dovecotssl.jpg


top


Verification


You have to verify the certification that server provides.
Be very careful about this. Be extremely careful about this step.
The first time the network is unsecure, so everyone can listen to your password.


file:10_dovecotssl.jpg


file:11_dovecotssl.jpg


top


Certificate Authorities


There is a different and more secure way to verify the certification.
And this is the correct way too.


file:12_dovecotssl.jpg


file:13_dovecotssl.jpg


file:14_dovecotssl.jpg


file:15_dovecotssl.jpg


file:16_dovecotssl.jpg


file:17_dovecotssl.jpg


top


Test email


If you choose the second (and correct way) then you'll never see images 10 & 11


file:18_dovecotssl.jpg


top