DoveCot SSL

Posted by alex almazan Sat, 03 May 2008 05:42:00 GMT

In order to configure SSL for dovecot, the following is recommended 
[root@station ]# cd /etc/pki/
[root@station pki]# ls
CA  dovecot  nssdb  rpm-gpg  tls
[root@station pki]# find . -name Makefile
./tls/certs/Makefile
[root@station pki]# cd tls/certs/
[root@station certs]# ls
ca-bundle.crt  localhost.crt  make-dummy-cert  Makefile
[root@station certs]# make
This makefile allows you to create:
  o public/private key pairs
  o SSL certificate signing requests (CSRs)
  o self-signed SSL test certificates

To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".

To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".

To create a test certificate with serial number other than zero, add
SERIAL=num

Examples:
  make server.key
  make server.csr
  make server.crt
  make stunnel.pem
  make genkey
  make certreq
  make testcert
  make server.crt SERIAL=1
  make stunnel.pem SERIAL=2
  make testcert SERIAL=3

Dovecot requires a pem, which consists of a key and a cert. Once generated, place in the location that is outlined in the server configuration.

[root@station certs]# make dovecot.pem
umask 77 ; \
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes
-x509 -days 365 -out $PEM2 -set_serial 0 ; \
        cat $PEM1 >  dovecot.pem ; \
        echo ""    >> dovecot.pem ; \
        cat $PEM2 >> dovecot.pem ; \
        rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to '/tmp/openssl.B21904'
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ’.’, the field will be left blank. 
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Texas
Locality Name (eg, city) [Newbury]:San Antonio
Organization Name (eg, company) [My Company Ltd]: SSL example 
Organizational Unit Name (eg, section) []:3rd shift
Common Name (eg, your name or your server's hostname)
[]:station.rhce.example.com
Email Address []:user@rhce.example.com
[root@station certs]# ls
ca-bundle.crt  dovecot.pem  localhost.crt  make-dummy-cert  Makefile
mailtips for checking email during the test utilize mutt 
mutt -s imaps://user@@serverhost

mutt -f imaps://localhost for checking/displaying:

q:Exit  ?:Help
This certificate belongs to:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate was issued by:
   station.rhce.example.com
   Unknown
   SSL example
   3rd shift
   San Antonio

This certificate is valid
   from Aug  9 16:52:18 2008 GMT
     to Aug  8 16:52:18 2009 GMT

Fingerprint: B247 62D4 197F 401B 61EA BC83 8733 8D9A
Telnet test to port 110 and SSL mutt foo. 
[root@station etc]# telnet 0 110
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
+OK Dovecot ready.
user mike
+OK
pass redhat
+OK Logged in.
list
+OK 1 messages:
1 472
.
retr 472
-ERR There's no message 472.
retr 1
+OK 472 octets
Return-Path: <root@station.example.com>
X-Original-To: ru@station.example.com
Delivered-To: user@station.example.com
Received: by station.example.com (Postfix, from userid 0)
        id CFB341988BE; Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
To: ru@station.example.com
Subject: maildirdelivery
Message-Id: <20070809180910.CFB341988BE@station13.example.com>
Date: Thu,  9 Aug 2007 13:09:10 -0500 (CDT)
From: root@station.example.com (root)
maildir lab example

additional notes post lab

edits to /etc/dovecot.conf

protocols = imap imaps pop3 pop3s

the pem copied into these locations 
##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened
before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem