Working Draft-Plz dont follow by letter



Hits : 4174


Dovecot with Client Certificates


The next step after building an installation using Dovecot with SSL
is to authenticate clients to dovecot using clients certificates. In the above howto we have ensured that
the communication via dovecot and clients are over ssl. This provide us a way to secure our network
traffic. But we can be sure about our clients. We trust them only with their username/password authentication.


We can also use the ACL plugin to add another layer of security.


But there isnt a 100% secure system or communication. We have mentioned that in the first time dovecot sends
the server certificate via an untrusted network traffic. Meaning that if someone can listen to this traffic
can easily take the dovecot server certificate and listen to the encrypted traffic after that.


There is also another way to verify our clients using x509 clients certificates.
This yet doesnt mean that we have an absolute 100% secure and encrypted traffic, but it is very close.


Mail clients can login to dovecot only when they provide a x509 client certificate that has been singed by a Trusted Certificate Authority.
Dovecot can verify the client certificate and then provide the server certificate to ensure the encrypted communication.


top


url 


http://stephen.cristol.googlepages.com/introx509

openssl


mkdir -pv /opt/certificates/dovecot
cd !$
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 1825 -newkey rsa:4096
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825 -newkey rsa:4096
rm dovecot.crt
openssl req -new -key dovecot.key -out dovecot.csr
openssl x509 -req -days 1825 -in dovecot.csr -out dovecot.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key -name "dovecot Certificate Client" -out dovecot.p12
touch index.txt
echo 01 > ./crlnumber
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
cat ca.crt ca.crl > cafile

dovecot -n

# 1.2.2: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.30-ARCH i686  ext4
info_log_path: /var/log/dovecot.log
protocols: imaps
ssl: required
ssl_ca_file: /opt/certificates/dovecot/cafile
ssl_cert_file: /opt/certificates/dovecot/ca.crt
ssl_key_file: /opt/certificates/dovecot/ca.key
ssl_verify_client_cert: yes verbose_ssl: yes login_dir: /usr/local/var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
first_valid_uid: 300
mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/.INBOX/%u:INDEX=/var/spool/mail/.INDEX/%u:CONTROL=/var/spool/mail/.CONTROL/%u
mail_debug: yes lda:
  postmaster_address: ebalaskas@ebalaskas.gr
auth default:
  verbose: yes debug: yes debug_passwords: yes ssl_require_client_cert: yes passdb:
    driver: passwd-file
    args: /usr/local/etc/dovecot.passdb
  userdb:
    driver: passwd-file
    args: /usr/local/etc/dovecot.passdb

NEW openssl


# Create the certificate folder
mkdir -pv /opt/certificates/dovecot
cd !$
# Create the CA (Certificate Authority) keys
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 1825 -newkey rsa:4096
# Create the dovecot key
openssl req -new -nodes -keyout dovecot.key -out dovecot.csr -newkey rsa:4096
# Singed by CA
openssl x509 -req -days 1825 -in dovecot.csr -out dovecot.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial
# Export client certificate
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key -name "dovecot Certificate Client" -out dovecot.p12
# Genereate Certificate Revocation List
touch index.txt
echo 01 > ./crlnumber
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
cat ca.crt ca.crl > cafile
# cat ca.crt ca.srl > cafile