Creating SSL pem for Courier-IMAP

tay9000

tay9000

Hello everybody. I consider myself pretty decent with setting up FreeBSD but when it comes to SSL, I really don't get it. If somebody can point me to a good in-depth guide, that would be great. Particularly encompassing FreeBSD and OpenSSL.

Anyway, I am configuring a new mail server and I just need somebody to look at this command I am using to generate a self-signed certfile in .pem format for IMAP. Do I really just need to run this command and then stick the filepath at
Code: 
TLS_CERTFILE=
in the imapd-ssl conf file? (I used 9999 because I don't want to have to update the file due to reasons.)

[cmd=]sudo openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 9999[/cmd]

I looked up what all the parameters do in an effort to understand but I don't have any experience with SSL really. I did run Wireshark and the IMAP communication seems to be encrypted but I work under a sysadmin who has never set up PEM mail and insists I must create a .crt, .key, and .csr file even though there is no place to put those in imapd-ssl and everything I read seems to indicate you only need a single .pem file for IMAP SSL. :P

Any help is appreciated. Thank you!
Code: 
req: The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example. 
-new: Generates a new certificate request.
-x509: Outputs a self signed certificate instead of a certificate request.
-nodes: The private key is not encrypted.
-out imapd.pem: Specifies the output filename.
-keyout: the filename to write the newly created private key to
-days: When the -x509 option is being used this specifies the number of days to certify the certificate for.
Click to expand...
 
For Dovecot's IMAPS I only have two dovecot.pem files, one in /etc/ssl/certs and one in /etc/ssl/private. The first one is referenced (in Dovecot's configuration) as ssl_cert, the other one as ssl_key.

Dovecot uses this line in its certificate-generating script:

Code: 
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365

See also http://wiki2.dovecot.org/SSL/CertificateCreation

Adjust information to your circumstances.
 
In other words: your co-worker is thinking about certificates for a webserver. Same thing, different type of certificate use.
 
DutchDaemon said:
In other words: your co-worker is thinking about certificates for a webserver. Same thing, different type of certificate use.
Click to expand...
Yes, he wants me to use the exact same commands to generate the same files we use for Apache but it doesn't apply to IMAP or POP3. =P

As I understand, this command is the equivalent of generating an unencrypted cert key, generating and self-signing a csr, and then combining the resulting cert and key into a .pem file, right?

As long as the client gets the pem from my server, the communication is (theoretically) secure, right? The part I don't understand is what stops somebody else from connecting to my server and getting that pem and using the information inside of it to decrypt another users communications? Or is that totally not how it works? :stud

Thanks, at least I am sure I am on the right track now.
 
You're basically just enabling the SSL layer with this server-side certificate, nothing more than that. I'm pretty sure that certain parameters (like hashes) are added at run-time (the imaps/pop3s negotiation/connection stage) to make the subsequent SSL encryption sufficiently unique for that particular session. In other words, I don't think you can sniff or hijack other users's imaps/pop3s sessions with the certificate's information alone.
 
I have installed mail system using mail toaster by matt. In the setup I installed courier-imap. The problem is we can't get the use of encrypted password using port 993/ssl. Imap server simply says wrong password. This system uses vpopmail and courier authdaemon. If I use openssl s_client -connect mail.servername.tld:993 -ssl3 it connects and displays certificate et. al. which is a great improvement over earlier attempts where it failed on handshaking and no certificate displayed.

I just don't know what part is not working to allow the use of encrypted passwords.
 
You must log in or register to reply here.
Back
Top