Creating Self-signed SSL Certificates for Dovecot & Postfix

Posted by Matt Rude on June 29th, 2009 | Filed Under: Technology | Tagged as: , ,

Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:

  • The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn’t really bother verifying the certificate’s fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user’s password and so on.
  • If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.

The only way to be fully secure is to import the SSL certificate to client’s (or operating system’s) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.

Building Dovcot’s Self-Signed Certificates

Dovecot includes a script to build self-signed SSL certificates using OpenSSL. First you need to find the dovecot-openssl.cnf file.

  • Configuring the Certificate Config File

The best way on Fedora to do this is via the locate command.

locate dovecot-openssl.cnf

Mine was located at /etc/pki/dovecot/dovecot-openssl.cnf. Now that you have found the file you need to add your server information to it, like this:

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=US

# State or Province Name (full name)
ST=MN

# Locality Name (eg. city)
L=SaintPaul

# Organization (eg. company)
O=example.com

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=*.example.com

# E-mail contact
emailAddress=postmaster@example.com

[ cert_type ]
nsCertType = server
  • Build the Certificates
/usr/libexec/dovecot/mkcert.sh
  • Modifying Dovecot

You will need to add the following to your /etc/dovecot.conf file:

ssl_listen = 993
ssl_disable = no
ssl_cert_file = /etc/postfix/smtpd.pem
ssl_key_file = /etc/postfix/smtpd.pem
auth_cache_size = 128

Then restart Dovecot

/sbin/service dovecot restart
gutter='0'

Related Posts

  1. Installing Dovecot with SQLite Support
  2. Installing Postfix with SQLite Support
  3. Creating a secure Git repository server
  4. Postfix: remap from addresses with a generic map
  5. Installing the GIT Daemon for Read Only Access to Repoistory

Leave a Comment

 

«
»
 

Random Picture

Random image: img_1151

Helen

Album: Christmas 2008

Categories

Stay Updated...

What’s going on...

Post Tags

Amanda Apple Cabin Dovecot Family Fedora FreeNAS Git How-To Ideas iPhone Kelsey Logwatch MediaWiki Microsoft Milly MySQL Mythtv Odin OpenVPN Photo Gallery Plugin Politics Postfix Rant RoundCube Scott SQLite SSH Webserver Wedding Windows WordPress