Encrypt IMAP and POP with SSL

Posted by

Having your electronic mail to be had on an IMAP server is useful when you need
to access it from multiple areas. Unlike POP, IMAP retailers your whole e mail
and any folders you create on the server, so that you could entry your whole

One daemon that supports SSL out of the field is Dovecot (http://www.
Dovecot.Org). Dovecot involves help for both IMAP and POP3 and has
the added advantage that it was once designed and written with security in mindfrom the very opening. In pursuit of that goal, it makes use of first-rate-ofbreed secure coding practices as well as privilege separation andchroot( )-ing. Moreover, Dovecot is very flexible and supports a number of authentication approaches, as well as each mbox and MailDir mailbox formats.
To compile and set up Dovecot, download the compressed tar archive and
run the next commands:

$tar xfz dovecot-1.Zero.Beta5.Tar.Gz
$cd dovecot-1.0.Beta5
$./configure && make

this may construct Dovecot with facilities to help most mainly used
authentication mechanisms. If you wish to use LDAP or an SQL database
for authentication, you could construct a copy that helps these mechanisms as
good. Run./configure –helpto see the entire variety of options.
While you’ve compiled Dovecot, become root and runmake install.
Next, to create self-signed certificates, run the following command:

$openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.Pem -keyout 
/and$openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.Pem -keyout
/and so forth/ssl/private/dovecot.Pem -days 3650

$openssl req -new -x509 -nodes -out /etc/ssl/certs/dovecot.Pem -keyout
/and so forth/ssl/private/dovecot.Pem -days 3650 so forth/ssl/private/dovecot.Pem -days 3650

alternatively, that you may signal the certificates along with your ownCertificate Authority (CA)[Hack #69].
All that’s left to do nowis to create adovecot.Conffile. To do that, find the
dovecot-instance.Conffile, which will have to be located in/usr/neighborhood/etc(or at any place you told configure to put in it), and copy it to dovecot.Conf. Growing
your possess customized configuration is a rather easy system, for the reason that the illustration
configuration is replete with comments and displays the default values for
each and every configuration variable.

Of exact curiosity is theprotocolsvariable. By way of default this variable is set
to aid unencrypted IMAP and IMAP+SSL:
protocols = imap imaps
nonetheless, if you want to aid POP3 or POP3+SSL, which you can addpop3
and/orpop3sto the record of values. If you want to disable unencrypted IMAP,
eliminate theimapvalue.
For those who positioned your SSL certificates and key in a vicinity other than the one
stated within the prior illustration, you’ll ought to tell Dovecot where to
in finding them. To do that, regulate the ssl_cert_file and ssl_key_file variables. For illustration, to use/usr/regional/ssl/certs/myhostname.Crt and/usr/local/
ssl/personal/myhostname.Key, make the next changes:

ssl_cert_file = /usr/regional/ssl/certs/myhostname.Crt
ssl_key_file = /usr/nearby/ssl/exclusive/myhostname.Key

Nowthat you’ve done that, you’ll must create a user account known as
dovecotfor the imap-login process to run underneath. This permits theimap-login
procedure, which is liable for handling consumer connections earlier than they
had been authenticated, to operate with the least quantity of privileges
One thing more to be mindful of is that, if you are making use of mbox mailboxes,
you’ll ought to set themail_extra_groupsvariable to the team proprietor of your
mail spool directory. For example, if the workforce proprietor of/var/mail is mail,
use the next:

mail_extra_groups = mail

setting this allows for Dovecot to create locks when it is getting access to a user’s mail
spool file.
Nowthat you’ve finished configuring Dovecot, you can launch the daemon
by means of going for walks/usr/local/sbin/dovecot. You should then see log entries like these:

Jan 18 16:23:forty five freebsd5-vm1 dovecot: Dovecot v1.0.Beta5 starting up
 Jan 18 16:23:forty five freebsd5-vm1 dovecot: producing Diffie-Hellman parameters
for the primary time. This will likely take a whilst..
Jan 18 16:23:forty five freebsd5-vm1 dovecot: ssl-construct-param: SSL parameters
regeneration completed

That’s the ultimate assignment for the server end of matters. All you ought to do now is
configure your email customers to connect to the cozy variation of the carrier
that they were utilising. Ordinarily, there shall be a Use Encryption, Use SSL, or
some other in a similar way named checkbox within the incoming mail settings to your
consumer. Just determine the box and reconnect, and you must be utilising SSL. Be
sure your patron trusts your CA certificates, though, or you’re going to be nagged
with annoying (however principal!) believe warnings.

Leave a Reply

Your email address will not be published. Required fields are marked *