Bootstrap FreeKB - Dovecot (Email) - Encrypt POP3 IMAP traffic using a public/private key pair (IMAPS POP3S)
Dovecot (Email) - Encrypt POP3 IMAP traffic using a public/private key pair (IMAPS POP3S)

Updated:   |  Dovecot (Email) articles

At a very simple high level, Postfix is the Mail Transfer Agent (MTA) sends email to a users inbox (Mail User Agent) via SMTP (port 25 or 465 or 587) and Dovecot is the Mail Delivery Agent (MDA) that retrieves email from a users inbox via POP3 (port 110 or 995) or IMAP (port 143 or 993).

 

Add the following to the /etc/dovecot/conf.d/10-ssl.conf file. Yes, the < character must be used here (weird, eh?).

ssl = yes
ssl_cert = </etc/pki/tls/certs/mail.example.com.cer
ssl_key = </etc/pki/tls/private/mail.example.com.key

 

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to start and enable dovecot.

systemctl restart dovecot
systemctl status dovecot

 

If your system is using init, use the chkconfig and service commands to start and enable dovecot.

service dovecot restart
service dovecot status

 

The doveconf command can be used to validate the SSL settings are now being used.

~]$ doveconf | grep -i ssl
auth_ssl_require_client_cert = no
auth_ssl_username_from_cert = no
imapc_ssl = no
imapc_ssl_verify = yes
pop3c_ssl = no
pop3c_ssl_verify = yes
    ssl = no
    ssl = no
    ssl = yes
    ssl = no
    ssl = yes
service ssl-params {
  executable = ssl-params
  unix_listener login/ssl-params {
  unix_listener ssl-params {
ssl = yes
ssl_alt_cert =
ssl_alt_key =
ssl_ca =
ssl_cert = </path/to/mail.example.com.cer
ssl_cert_username_field = commonName
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_client_ca_dir =
ssl_client_ca_file =
ssl_client_cert =
ssl_client_key =
ssl_crypto_device =
ssl_dh_parameters_length = 1024
ssl_key =  # hidden, use -P to show it
ssl_key_password =
ssl_options =
ssl_parameters_regenerate = 0
ssl_prefer_server_ciphers = no
ssl_protocols = !SSLv2 !SSLv3
ssl_require_crl = yes
ssl_verify_client_cert = no
verbose_ssl = no

 

 

On the Dovecot email server itself, use OpenSSL to test POP3s. The "s" in POP3s means secured. There should be many lines of text referencing various security parameters, such as SSL, TLS, and certificate. The output should begin with "CONNECTED(0000003)" and end with "Verify return code: 18 (self signed certificate)" and "+OK Dovecot ready."

~]# openssl s_client -connect mail.example.com:pop3s
CONNECTED(00000003)    
. . .
Verify return code: 18 (self signed certificate)
---
+OK Dovecot ready.

 

Likewise, openssl can also be used to test the connection to IMAPS.

~]# openssl s_client -connect mail.example.com:imaps
CONNECTED(00000003) 
. . .
Verify return code: 18 (self signed certificate)
---
* OK Dovecot ready.

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter a7b29d in the box below so that we can be sure you are a human.