Contents
Dovecot with SSL
This super duper mini how to, provides instructions of how you can add ssl support to your dovecot installation.
Before we continue with this, take a quick look to the below link, it'll help you to have a working basic dovecot installation in less than 5min.
Just a quick note: In the very first time, dovecot provides the certificate to an unsecure network traffic. So its easy for someone who listens to your network traffic to find out your password. If you bypass this, then all the traffic from the client to dovecot is over ssl.
Certifications
Let's make the ssl keys for our dovecot. Personally i use the below command:
openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem -days 1825 -newkey rsa:4096
Be very carefully with this. If you live in a country that dont appreciate freedom then perhaps you must use this command:
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825
Common Name: This is very important – so give attention in these crucial times:
The common name must be the hostname (server name) of your mail server.
In my example (and only in my example) common name is localhost !
Country Name (2 letter code) [AU]:GR State or Province Name (full name) [Some-State]:Athens Locality Name (eg, city) []:Aigaleo Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr Organizational Unit Name (eg, section) []:Mail Apps Common Name (eg, YOUR name) []:localhost Email Address []:ebalaskas@ebalaskas.gr
Configuration
The next step is to configure properly the dovecot.conf:
The values that you must change are these:
protocols = imaps ssl = required ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem mail_location = maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/%u/.INBOX # ebal
you should change the keys path to yours, mine is: /opt/certificates/
This is my dovecot -n output:
# 1.2.2: /usr/local/etc/dovecot.conf # OS: Linux 2.6.30-ARCH i686 ext4 ssl: required ssl_cert_file: /opt/certificates/dovecot.crt ssl_key_file: /opt/certificates/dovecot.key login_dir: /usr/local/var/run/dovecot/login login_executable: /usr/local/libexec/dovecot/imap-login first_valid_uid: 300 mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/.INBOX/%u:INDEX=/var/spool/mail/.INDEX/%u:CONTROL=/var/spool/mail/.CONTROL/%u lda: postmaster_address: ebalaskas@ebalaskas.gr auth default: passdb: driver: pam userdb: driver: passwd
Testing
To test your dovecot settings just type in your command prompt this:
dovecot -n
If everything turns ok (why not?) then you should be able to start the dovecot:
dovecot
To test that dovecot listen to imap over ssl you should run this:
openssl s_client -connect 127.0.0.1:993
or
openssl s_client -connect 127.0.0.1:993 -showcerts
There are two commands to test the login proccess:
1 login ebal test 2 LIST "" *
where ebal is the username and test the password of ebal user
If the openssl command successfully open an imap over ssl connection then in the end just type the above commands:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN] Dovecot ready. 1 login ebal test 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH] Logged in 2 LIST "" * * LIST (\Unmarked) "." "INBOX" 2 OK List completed.
Thunderbird
Now the only thing that's left is to proper configure thunderbird.
Reset Thunderbird Certifications
If for any reason you have to delete the file that keeps the certificates for thunderbird,
just type in the command prompt this command:
find ~/.thunderbird/ -type f -name 'cert8.db' -delete
Create a new account
From the file menu:
file:01_dovecotssl.jpg
file:02_dovecotssl.jpg
file:03_dovecotssl.jpg
file:04_dovecotssl.jpg
file:05_dovecotssl.jpg
file:06_dovecotssl.jpg
file:07_dovecotssl.jpg
Imap over SSL
Select ssl connection ( TCP/IP port: 993)
file:08_dovecotssl.jpg
Restart thunderbird (just to be sure), and you can see a padlock on the account:
file:09_dovecotssl.jpg
Verification
You have to verify the certification that server provides.
Be very careful about this. Be extremely careful about this step.
The first time the network is unsecure, so everyone can listen to your password.
file:10_dovecotssl.jpg
file:11_dovecotssl.jpg
Certificate Authorities
There is a different and more secure way to verify the certification.
And this is the correct way too.
file:12_dovecotssl.jpg
file:13_dovecotssl.jpg
file:14_dovecotssl.jpg
file:15_dovecotssl.jpg
file:16_dovecotssl.jpg
file:17_dovecotssl.jpg
Test email
If you choose the second (and correct way) then you'll never see images 10 & 11
file:18_dovecotssl.jpg