Monday, August 28, 2006

Secure IMAP with Dovecot and SSL

In common with many other older protocols IMAP traffic is sent in clear text, with potential for anyone to eavesdrop or steal passwords. Like other modern IMAP servers Dovecot provides methods of enhancing security; you can either use secure authentication methods such as cram-md5 or encrypt the whole session using SSL. I've configured my Fedora Core 5 server to use SSL.

By default on FC5 Dovecot allows the following protocols:

imap imaps pop3 pop3s

To only allow imaps we must set:

protocols = imaps

in /etc/dovecot.conf

The server also comes with a dummy "localhost.localdomain" x509 certificate in /etc/pki/dovecot which should be replaced by at your own self-certified certificate (or even better one signed by a CA). There is a script provided ( /usr/share/doc/dovecot-1.0/examples/mkcert.sh ) to automate the process, but first a two files must be modified. Since mkcert.sh has not been written specifically for FC5 we must change the locations in the script so that they look like:

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
#SSLDIR=${SSLDIR-/etc/ssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}

CERTFILE=$SSLDIR/certs/dovecot.pem
KEYFILE=$SSLDIR/private/dovecot.pem


Of course, these values should match what is in /etc/dovecot.conf, but the above is good for a default install. Next, update the contents of /etc/pki/dovecot/dovecot-openssl.cnf to reflect the local country code, organisation and common name (something other than localhost.localdomain!). Now all that is reuired is to run "mkcert.sh" then run a "service dovecot restart", following which any mail clients will need to be configured for SSL.

No comments: