You are here: ISP Linux HowTo » Server Guides » SSL with Web and E-mail » SSL with Courier-IMAP
Trace: SSL with Courier-IMAP

SSL with Courier-IMAP

Table of Contents

SSL with Courier-IMAP

Within /etc/courier-imapd you will find files for IMAP and POP SSL certificates:

  • imapd.cnf is a configuration file for making a self-signed IMAP certificate
  • pop3d.cnf is a configuration file for making a self-signed POP certificate

To make self-signed certificates, just edit one or both of the files (whichever you want to use), then run mkimapdcert to make an IMAP SSL certificate or mkpop3dcert to make a POP3 SSL certificate.

To install a certificate from a CA, such as StartSSL as described above, just place your “.crt” and “.key” files into a single “.pem” file. For example: 

cd /etc/courier-imap
cat /etc/apache2/ssl/mydomain.crt /etc/apache2/ssl/mydomain.key > imapd.pem
NB: Be sure the modulus for both files is the same. If you host multiple domains it is easy to get confused. A message in your mail.log that says something like, couriertls: /etc/mail/ssl/mail.crt: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch means that you have mismatched the two files.

To view the key use: 

openssl rsa -text -noout -in (filename)

To view the cert use: 

openssl x509 -text -noout -in (filename)

Verify that the modulus sections of both match.

Verify that your /etc/courier-imapd/imapd.ssl file contains these settings: 

IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=1
TLS_CERTFILE=/etc/ssl/private/MYDOMAIN.ORG.pem
TLS_TRUSTCERTS=/etc/ssl/certs

Of course, change the /etc/ssl/private/MYDOMAIN.ORG.pem file name to match the name and location of yours.

Once you have the certificate in-place, just start whichever secure service you want to use (or both): 

/etc/init.d/courier-imapd-ssl start
/etc/init.d/courier-pop3d-ssl start

Also be sure to put one or both in your server start-up: 

rc-update add courier-imapd-ssl default
rc-update add courier-pop3d-ssl default

If you look at netstat -lnp you should see port 993, which is used for secure IMAP. 

# netstat -lnp | egrep "993|995"
tcp6       0      0 :::993                  :::*                    LISTEN      16913/couriertcpd
tcp6       0      0 :::995                  :::*                    LISTEN      16924/couriertcpd

Secure Connection versus Secure Authentication

There are two distinct areas of security for e-mail communication: Authentication and transmission. The steps outlined above provide secure message transmission. I have never looked into “secure authentication” to know its technical merits or uses, but I do know that if you enable “secure authentication” your e-mail client will hang for about a minute and then tell you it could not establish a connection.

If you are using courier-authlib for your authentication, then securing the transmission means you are wrapping your log-in in an SSL layer, so your authentication is actually “secure” but this is not the same as “secure authentication”. Confusing? Sure… just leave the “secure authentication” option turned off in your e-mail client (such as Thunderbird) and only set the SSL option.

When you check the “SSL” box in Thunderbird you will see the port change to “993”. If you are using KMail, there is no SSL option – you just set the port to 993 to indicate SSL should be used.

Troubleshooting

Here are a few troubleshooting ideas. Also see the official Courier-mta site's troubleshooting page.

Certificate Errors

Possible errors you might see: 

imapd-ssl: Unknown certificate
imapd-ssl: Certificate is bad
imapd-ssl: Peer's certificate not signed by a trusted authority

Whenever you udpate your certificate be sure you did not miss any steps. If your server is named myserver.example.com you should:

  1. Submit your myserver.example.com.csr file to your CA to get an updated certificate – the same CSR file you used in prior years.
  2. Move the old CRT file temporarily, in case something goes wrong and you need to put it back:
    mkdir old
mv myserver.example.com.crt old/
  3. Save the certificate in myserver.example.com.crt
  4. chmod 600 myserver.example.com.crt
  5. Create a combined PEM file that has the key and certificate, and optionally the intermediate CA certificate.
    cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem
  6. Make sure there is a newline after the last entry in the PEM file.
    echo >> myserver.example.com.pem
  7. Generate a pseudo-random key and append it to the PEM file.
    dd if=/dev/urandom of=imapd.rand count=1
openssl gendh -rand imapd.rand 512 >> myserver.example.com.pem
rm imapd.rand
  8. Verify that the file works:
    openssl x509 -subject -dates -fingerprint -noout -in myserver.example.com.pem
  9. Finally, restart the daemon and watch for errors:
    /etc/init.d/courier-imapd-ssl restart
tail -f /var/log/mail.log

Cipher suite error

You see this error message: 

imapd-ssl: Could not negotiate a supported cipher suite.

That message means Courier-IMAP can't find your private key. Bundle the private key and certificate into a single PEM file for Courier like this: 

cat private.key server.crt > server-bundle.pem

Then put the server bundle into your /etc/courier-imap/imapd-ssl file, e.g.: 

TLS_CERTFILE=/etc/mail/ssl/server-bundle.pem

Then restart the daemon and watch for errors: 

/etc/init.d/courier-imapd-ssl restart
tail -f /var/log/mail.log