Hits : 13015

Contents


Dovecot with SSL 


This super duper mini how to, provides instructions of how you can add ssl[link1] support to your dovecot[link2] installation.
Before we continue with this, take a quick look to the below link, it'll help you to have a working basic dovecot installation in less than 5min.

Basic Dovecot[link3]

Just a quick note: In the very first time, dovecot provides the certificate to an unsecure network traffic. So its easy for someone who listens to your network traffic to find out your password. If you bypass this, then all the traffic from the client to dovecot is over ssl.

top

Certifications


Let's make the ssl keys for our dovecot. Personally i use the below command:

openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem -days 1825 -newkey rsa:4096


Be very carefully with this. If you live in a country that dont appreciate freedom then perhaps you must use this command:

openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825


Common Name: This is very important – so give attention in these crucial times:
The common name must be the hostname (server name) of your mail server.
In my example (and only in my example) common name is localhost !

Formatter "highlight/html" not found

top

Configuration


The next step is to configure properly the dovecot.conf:

The values that you must change are these:

Formatter "highlight/html" not found

you should change the keys path to yours, mine is: /opt/certificates/

This is my dovecot -n output:

Formatter "highlight/html" not found

top

Testing


To test your dovecot settings just type in your command prompt this:

dovecot -n


If everything turns ok (why not?) then you should be able to start the dovecot:

dovecot


To test that dovecot listen to imap over ssl you should run this:

openssl s_client -connect 127.0.0.1:993


or

openssl s_client -connect 127.0.0.1:993 -showcerts


There are two commands to test the login proccess:

1 login ebal test
2 LIST "" *


where ebal is the username and test the password of ebal user

If the openssl command successfully open an imap over ssl connection then in the end just type the above commands:

Formatter "highlight/html" not found

top

Thunderbird


Now the only thing that's left is to proper configure thunderbird.

Reset Thunderbird Certifications


If for any reason you have to delete the file that keeps the certificates for thunderbird,
just type in the command prompt this command:

find ~/.thunderbird/ -type f -name 'cert8.db' -delete


top

Create a new account


From the file menu:

file:01_dovecotssl.jpg

file:02_dovecotssl.jpg

file:03_dovecotssl.jpg

file:04_dovecotssl.jpg

file:05_dovecotssl.jpg

file:06_dovecotssl.jpg

file:07_dovecotssl.jpg

top

Imap over SSL 


Select ssl connection ( TCP/IP port: 993)

file:08_dovecotssl.jpg

Restart thunderbird (just to be sure), and you can see a padlock on the account:

file:09_dovecotssl.jpg

top

Verification


You have to verify the certification that server provides.
Be very careful about this. Be extremely careful about this step.
The first time the network is unsecure, so everyone can listen to your password.

file:10_dovecotssl.jpg

file:11_dovecotssl.jpg

top

Certificate Authorities


There is a different and more secure way to verify the certification.
And this is the correct way too.

file:12_dovecotssl.jpg

file:13_dovecotssl.jpg

file:14_dovecotssl.jpg

file:15_dovecotssl.jpg

file:16_dovecotssl.jpg

file:17_dovecotssl.jpg

top

Test email


If you choose the second (and correct way) then you'll never see images 10 & 11

file:18_dovecotssl.jpg

top



Links
[link1] http://www.openssl.org/

[link2] http://dovecot.org/

[link3] https://balaskas.gr/wiki/dovecot/DovecotLocalUsers