i want users to login with username and password, but be sure that whole traffic betwen clint/server would be encrypted. after reading mailing list and google finally just a momment ago i have fixed problem with certs and this 2 options. my problem was in crl and i didnt understood how is should follow cacert. here is mini howto for openssl usage on mail server. please include in wiki, it will help many others!!!
prepare environment for openssl mkdir /etc/pki/CA/newcerts mkdir /etc/pki/CA/crl cd /etc/pki/CA echo 01 > serial touch index.txt echo 01 > crlnumber ln -s /etc/pki/tls/openssl.cnf openssl.cnf Edit /etc/pki/tls/openssl.cnf change CA directory to /etc/pki/CA change nsComment to whatever you want change other settings you want (default variables for certs)
Make your own CA openssl req -new -x509 -extensions v3_ca -utf8 -newkey rsa:2048 -sha1 -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
Make default CRL openssl ca -gencrl -crlexts crl_ext -md sha1 -utf8 -config ./openssl.cnf -crldays 30 -out crl/crl.pem
combine your root cert with default empty CRL cat cacert.pem ./crl/crl.pem > cacrl.pem
make request for mail server certificate mkdir mail openssl req -new -nodes -newkey rsa:2048 -sha1 -utf8 -out mail/mail.req -keyout mail/mail.key -config ./openssl.cnf
issue certificate openssl ca -out mail/mail.pem -md sha1 -utf8 -days 3650 -config ./openssl.cnf -infiles mail/mail.req
convert root certificate to DER format openssl x509 -in cacert.pem -outform DER -out company.root.cert.der
convert mail cert into windows readable format PKCS#12. (or convert it to same .der format to secure key file) openssl pkcs12 -export -out mail/mail.p12 -inkey mail/mail.key -in mail/mail.pem -name "MyCompany Mail Server"
Give company.root.cert.der and mail.p12 certs to client for integration with his application (outlook, thunderbird, etc ...)
Edit your Dovecot ssl configuration and tell him location of cert files. ssl_cert = </etc/pki/CA/mail/mail.pem ssl_key = </etc/pki/CA/mail/mail.key ssl_ca = </etc/pki/CA/cacrl.pem
PS.: Btw hope to receive answers on other questions from my very first post. Regards.
On Tue, Jun 14, 2011 at 12:13 PM, Willie Gillespie <wgillespie+dovecot@es2eng.com> wrote:
On 6/13/2011 8:44 AM, Denis Iskandarov wrote:
I've tried next thing: ssl = required ssl_verify_client_cert = no auth_ssl_require_client_cert = no
And began getting emails. Successful logs attached. But i cant understand if data was passed with TLS. How can i enable those 2 options "ssl_verify_client_cert", "auth_ssl_require_client_cert" and get em working ?
So do you want the client to authenticate with a certificate, or a username and password?
If you set up SSL on the server then things will be encrypted between the client and server similar to how HTTPS works (only the server presents a certificate).
ssl_verify_client_cert, and auth_ssl_require_client_cert also expects for the client to present its own certificate to the server. So there would be a certificate for the server and one for each client in that case.
Willie