Working Draft-Plz dont follow by letter
Hits :
4133
Dovecot with Client Certificates
The next step after building an installation using
Dovecot with SSL[link1]
is to authenticate clients to dovecot using clients certificates. In the above howto we have ensured that
the communication via dovecot and clients are over ssl. This provide us a way to secure our network
traffic. But we can be sure about our clients. We trust them only with their username/password authentication.
We can also use the ACL plugin to add another layer of security.
But there isnt a 100% secure system or communication. We have mentioned that in the first time dovecot sends
the server certificate via an untrusted network traffic. Meaning that if someone can listen to this traffic
can easily take the dovecot server certificate and listen to the encrypted traffic after that.
There is also another way to verify our clients using x509 clients certificates.
This yet doesnt mean that we have an absolute 100% secure and encrypted traffic, but it is very close.
Mail clients can login to dovecot only when they provide a x509 client certificate that has been singed by a Trusted Certificate Authority.
Dovecot can verify the client certificate and then provide the server certificate to ensure the encrypted communication.
top
url
http://stephen.cristol.googlepages.com/introx509
openssl
mkdir -pv /opt/certificates/dovecot
cd !$
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 1825 -newkey rsa:4096
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825 -newkey rsa:4096
rm dovecot.crt
openssl req -new -key dovecot.key -out dovecot.csr
openssl x509 -req -days 1825 -in dovecot.csr -out dovecot.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key -name "dovecot Certificate Client" -out dovecot.p12
touch index.txt
echo 01 > ./crlnumber
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
cat ca.crt ca.crl > cafile
dovecot -n
Formatter "highlight/html" not found
NEW openssl
# Create the certificate folder
mkdir -pv /opt/certificates/dovecot
cd !$
# Create the CA (Certificate Authority) keys
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 1825 -newkey rsa:4096
# Create the dovecot key
openssl req -new -nodes -keyout dovecot.key -out dovecot.csr -newkey rsa:4096
# Singed by CA
openssl x509 -req -days 1825 -in dovecot.csr -out dovecot.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial
# Export client certificate
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key -name "dovecot Certificate Client" -out dovecot.p12
# Genereate Certificate Revocation List
touch index.txt
echo 01 > ./crlnumber
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
cat ca.crt ca.crl > cafile
# cat ca.crt ca.srl > cafile