Search:  
Gentoo Wiki

Dovecot_TLS


Contents

Overview

This guide will show you how to enable TLS/SSL support in Dovecot (1.0 and 1.1), enabling you to encrypt all POP3 and IMAP communications.

This guide assumes you already have a working Dovecot installation.

Certificate Creation

This guide will not deal with certificate creation since that is already covered elsewhere. If you want an easy-to-use graphical program for managing self-signed certificates, you may wish to check out easyca.

You will need to save the certificate files (there should be 2 - a key file and a certificate file) on to the server. For example, you may choose to keep yours in a directory called /etc/ssl/mycerts.

Your certificate files should be owned by root and have permissions 0600 (ie. they can only be read by root).

Package Setup

You first need to ensure that you have Dovecot compiled with SSL support. For this to happen, Dovecot needs to be compiled with the ssl USE flag.

Add the following to /etc/portage/package.use:

File: /etc/portage/package.use
net-mail/dovecot ssl

And recompile Dovecot with: emerge -av dovecot

Configuration

The following configuration is foung in /etc/dovecot/dovecot.conf.

In the first section of the file, you need to specify the protocols that you want enabled. You probably have one or both of "imap" or "pop3" already enabled. You need to add the secure version of the protocols you use to this list. For example, if you use both, this would be:

 protocols = imap pop3 imaps pop3s

The following settings are in the section marked SSL settings.

You now want to tell Dovecot where to find your certificate files. This example uses files stored in /etc/ssl/mycerts and the key and certificate files are respectively called mail.example.org-key.pem and mail.example.org-cert.pem.

 ssl_cert_file = /etc/ssl/mycerts/mail.example.org-cert.pem
 ssl_key_file = /etc/ssl/mycerts/mail.example.org-key.pem

You also need to tell Dovecot the passphrase needed to decrypt the key file:

 ssl_key_password = <your key passphrase here>

To ensure that no other users can access your Dovecot configuration where the key is stored, run: chmod 600 /etc/dovecot/dovecot.conf

Finally, restart Dovecot with: /etc/init.d/dovecot restart

Related Articles

Retrieved from "http://www.gentoo-wiki.info/Dovecot_TLS"

Last modified: Wed, 02 Jul 2008 11:04:00 +0000 Hits: 1,406