Hits :
12598
Dovecot with SSL
This super duper mini how to, provides instructions of how you can add
ssl[link1] support to your
dovecot[link2] installation.
Before we continue with this, take a quick look to the below link, it'll help you to have a working basic dovecot installation in less than 5min.
Basic Dovecot[link3]
Just a quick note: In the very first time, dovecot provides the certificate to an unsecure network traffic. So its easy for someone who listens to your network traffic to find out your password. If you bypass this, then all the traffic from the client to dovecot is over ssl.
top
Certifications
Let's make the ssl keys for our dovecot. Personally i use the below command:
openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem -days 1825 -newkey rsa:4096
Be very carefully with this. If you live in a country that dont appreciate freedom then perhaps you must use this command:
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825
Common Name: This is very important – so give attention in these crucial times:
The common name must be the hostname (server name) of your mail server.
In my example (and only in my example) common name is
localhost !
Formatter "highlight/html" not found
top
Configuration
The next step is to configure properly the dovecot.conf:
The values that you must change are these:
Formatter "highlight/html" not found
you should change the keys path to yours, mine is:
/opt/certificates/
This is my
dovecot -n output:
Formatter "highlight/html" not found
top
Testing
To test your dovecot settings just type in your command prompt this:
If everything turns ok (why not?) then you should be able to start the dovecot:
To test that dovecot listen to imap over ssl you should run this:
openssl s_client -connect 127.0.0.1:993
or
openssl s_client -connect 127.0.0.1:993 -showcerts
There are two commands to test the login proccess:
1 login ebal test
2 LIST "" *
where
ebal is the username and
test the password of ebal user
If the openssl command successfully open an imap over ssl connection then in the end just type the above commands:
Formatter "highlight/html" not found
top
Thunderbird
Now the only thing that's left is to proper configure thunderbird.
Reset Thunderbird Certifications
If for any reason you have to delete the file that keeps the certificates for thunderbird,
just type in the command prompt this command:
find ~/.thunderbird/ -type f -name 'cert8.db' -delete
top
Create a new account
From the file menu:
file:01_dovecotssl.jpg
file:02_dovecotssl.jpg
file:03_dovecotssl.jpg
file:04_dovecotssl.jpg
file:05_dovecotssl.jpg
file:06_dovecotssl.jpg
file:07_dovecotssl.jpg
top
Imap over SSL
Select ssl connection ( TCP/IP port: 993)
file:08_dovecotssl.jpg
Restart thunderbird (just to be sure), and you can see a padlock on the account:
file:09_dovecotssl.jpg
top
Verification
You have to verify the certification that server provides.
Be very careful about this. Be extremely careful about this step.
The first time the network is unsecure, so everyone can listen to your password.
file:10_dovecotssl.jpg
file:11_dovecotssl.jpg
top
Certificate Authorities
There is a different and more secure way to verify the certification.
And this is the correct way too.
file:12_dovecotssl.jpg
file:13_dovecotssl.jpg
file:14_dovecotssl.jpg
file:15_dovecotssl.jpg
file:16_dovecotssl.jpg
file:17_dovecotssl.jpg
top
Test email
If you choose the second (and correct way) then you'll never see images 10 & 11
file:18_dovecotssl.jpg
top
[link2] http://dovecot.org/
[link3] https://balaskas.gr/wiki/dovecot/DovecotLocalUsers