In order to use mail servers securely, you need to encrypt all client/server communication (in particular, account passwords) via SSL. To use SSL for mail, you need SSL certificates for both your IMAP and SMTP servers.
- Setting-up SSL
- Generating a self-signed certificate
- Obtaining a third-party-signed certificate
- Importing the CA root certificate
Setting-up SSL
First, install the openssl package:apt-get install opensslThen, set-up the SSL environment:
cd /etc/ssl echo "01" > serial touch index.txt mkdir certs newcerts private # if they don't already exist chmod 755 certs newcerts chmod 700 private
Generating a self-signed certificate
The easiest thing to do is to be your own certificate authority and sign your own server certificates. The downside is that mail clients will usually display a dialog box warning the user that the certificate was signed by an unknown certificate authority. It gets annoying to have to click OK all the time. (However, you can import the certificate so you don't ever have to click OK.) To become your own certificate authority and get a self-signed server certificate:- Generate your own root certificate:
cd /etc/ssl openssl req -new -x509 -keyout private/cakey.key -out certs/cacert.crt
- Generate a server certificate request:
openssl req -nodes -new -x509 -keyout private/server.key -out server.csr
Answer the questions that follow. For Common Name, enter your domain name. - Finally, sign the certificate request and get a certificate:
openssl x509 -x509toreq -in server.csr -signkey private/server.key -out tmp.pem openssl ca -policy policy_anything -out certs/server.crt -infiles tmp.pem rm tmp.pem
The reason the certificates and the private keys have to be copies rather than either hard or symbolic links is because they need different groups and permissions.The permissions, users, and groups of the relevant files in the /etc/ssl directory should be:
drwxr-xr-x root root certs/ -rw-r--r-- root root cacert.crt -rw-r----- root dovecot dovecot.crt -rw------- root root sendmail.crt -rw-r--r-- root root index.txt drwx------ root root private/ -rw------- root root cakey.key -rw-r----- root dovecot dovecot.key -rw------- root root sendmail.key -rw-r--r-- root root serial
Obtaining a third-party-signed certificate
You can get a certificate from one of the widely known certificate authorities such as Thawte or Verisign and mail clients will accept them without warning, but such a certificate costs hundreds of dollars. Alternatively, you can get a certificate for free from CAcert.Currently, the CAcert root certificate isn't shipped with most client software. This means that using a certificate signed by CAcert is no better than using a self-signed certificate in that client software will still issue a warning and you'll still have to click OK (unless you import the certificate). However, CAcert is working towards getting their root certificate shipped with most client software. Once that's done, then using them will be better than using self-signed certificates.To use the CAcert root certificate and get a server certificate signed by CAcert:
- Join CAcert.org.
- Get CAcert's root certificate from here and save it in /etc/ssl/certs/cacert.crt.
- Generate a server certificate request:
openssl req -nodes -new -keyout private/server.key -out server.csr
- Answer the questions that follow. For Common Name, enter your domain name.
- Copy the contents of the server.csr file and paste it into the certificate request form on the CAcert web site.
- Once you get the signed certificate back, save the contents to a file.
The reason the certificates and the private keys have to be copies rather than either hard or symbolic links is because they need different groups and permissions.The permissions, users, and groups of the relevant files in the /etc/ssl directory should be:
drwxr-xr-x root root certs/ -rw-r--r-- root root cacert.crt -rw-r----- root dovecot dovecot.crt -rw------- root root sendmail.crt drwx------ root root private/ -rw-r----- root dovecot dovecot.key -rw------- root root sendmail.key
Importing the CA root certificate
If you are using either a self-signed or CAcert-signed server certificate, then mail clients will usually display a dialog box warning the user that the certificate was signed by an unknown certificate authority. To get rid of the warning, you can import the certificate. In Mac OS X, certificates are stored centrally using keychains. To manipulate keychains, you use the Keychain Access application. Using the Mac OS X 10.4 (Tiger) version of Keychain Access:- Launch Keychain Access.
- From the File menu, select Import....
- In the file selector, choose the CA root certificate file cacert.crt.
- From the Keychain pop-up menu, select X509Anchors.
- Select Open.
- From the main certificate list, select CA Cert Signing Authority. (This is the CA root certificate you just imported.)
- Scroll down to Trust Settings and click the little triangle.
- From the When using this certificate pop-up menu, select Always Trust.
- Close the window and quit Keychain Access.