SSL with Courier-IMAP
Within /etc/courier-imapd you will find files for IMAP and POP SSL certificates:
- imapd.cnf is a configuration file for making a self-signed IMAP certificate
- pop3d.cnf is a configuration file for making a self-signed POP certificate
To make self-signed certificates, just edit one or both of the files (whichever you want to use), then run mkimapdcert to make an IMAP SSL certificate or mkpop3dcert to make a POP3 SSL certificate.
To install a certificate from a CA, such as StartSSL as described above, just place your “.crt” and “.key” files into a single “.pem” file. For example:
cd /etc/courier-imap cat /etc/apache2/ssl/mydomain.crt /etc/apache2/ssl/mydomain.key > imapd.pem
To view the key use:
openssl rsa -text -noout -in (filename)
To view the cert use:
openssl x509 -text -noout -in (filename)
Verify that the modulus sections of both match.
Verify that your /etc/courier-imapd/imapd.ssl file contains these settings:
IMAPDSSLSTART=YES IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=1 TLS_CERTFILE=/etc/ssl/private/MYDOMAIN.ORG.pem TLS_TRUSTCERTS=/etc/ssl/certs
Of course, change the /etc/ssl/private/MYDOMAIN.ORG.pem file name to match the name and location of yours.
Once you have the certificate in-place, just start whichever secure service you want to use (or both):
/etc/init.d/courier-imapd-ssl start /etc/init.d/courier-pop3d-ssl start
Also be sure to put one or both in your server start-up:
rc-update add courier-imapd-ssl default rc-update add courier-pop3d-ssl default
If you look at netstat -lnp you should see port 993, which is used for secure IMAP.
# netstat -lnp | egrep "993|995" tcp6 0 0 :::993 :::* LISTEN 16913/couriertcpd tcp6 0 0 :::995 :::* LISTEN 16924/couriertcpd
Secure Connection versus Secure Authentication
There are two distinct areas of security for e-mail communication: Authentication and transmission. The steps outlined above provide secure message transmission. I have never looked into “secure authentication” to know its technical merits or uses, but I do know that if you enable “secure authentication” your e-mail client will hang for about a minute and then tell you it could not establish a connection.
If you are using courier-authlib for your authentication, then securing the transmission means you are wrapping your log-in in an SSL layer, so your authentication is actually “secure” but this is not the same as “secure authentication”. Confusing? Sure… just leave the “secure authentication” option turned off in your e-mail client (such as Thunderbird) and only set the SSL option.
When you check the “SSL” box in Thunderbird you will see the port change to “993”. If you are using KMail, there is no SSL option – you just set the port to 993 to indicate SSL should be used.
Troubleshooting
Here are a few troubleshooting ideas. Also see the official Courier-mta site's troubleshooting page.
Certificate Errors
Possible errors you might see:
imapd-ssl: Unknown certificate imapd-ssl: Certificate is bad imapd-ssl: Peer's certificate not signed by a trusted authority
Whenever you udpate your certificate be sure you did not miss any steps. If your server is named myserver.example.com you should:
- Submit your myserver.example.com.csr file to your CA to get an updated certificate – the same CSR file you used in prior years.
- Move the old CRT file temporarily, in case something goes wrong and you need to put it back:
mkdir old mv myserver.example.com.crt old/
- Save the certificate in
myserver.example.com.crt
chmod 600 myserver.example.com.crt
- Create a combined PEM file that has the key and certificate, and optionally the intermediate CA certificate.
cat myserver.example.com.key myserver.example.com.crt [intermediate.crt] > myserver.example.com.pem
- Make sure there is a newline after the last entry in the PEM file.
echo >> myserver.example.com.pem
- Generate a pseudo-random key and append it to the PEM file.
dd if=/dev/urandom of=imapd.rand count=1 openssl gendh -rand imapd.rand 512 >> myserver.example.com.pem rm imapd.rand
- Verify that the file works:
openssl x509 -subject -dates -fingerprint -noout -in myserver.example.com.pem
- Finally, restart the daemon and watch for errors:
/etc/init.d/courier-imapd-ssl restart tail -f /var/log/mail.log
Cipher suite error
You see this error message:
imapd-ssl: Could not negotiate a supported cipher suite.
That message means Courier-IMAP can't find your private key. Bundle the private key and certificate into a single PEM file for Courier like this:
cat private.key server.crt > server-bundle.pem
Then put the server bundle into your /etc/courier-imap/imapd-ssl file, e.g.:
TLS_CERTFILE=/etc/mail/ssl/server-bundle.pem
Then restart the daemon and watch for errors:
/etc/init.d/courier-imapd-ssl restart tail -f /var/log/mail.log