[Dovecot] trying to configre dovecot
Hi all;
Thinking I'd like to have a bit of security, I followed the example for dovecot from allgoodthings.org
Guessing between the lines I made a few substitutions to localize it for me, but when I run the line to dump the configs, the output is very short because I do not have the *.pem files.
Where can a usable set of these ssl 'keyfiles' be obtained?
Cheers, Gene
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) My web page: http://coyoteden.dyndns-free.com:85/gene is up! My views http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml Gee, I feel kind of LIGHT in the head now, knowing I can't make my satellite dish PAYMENTS! A pen in the hand of this president is far more dangerous than 200 million guns in the hands of law-abiding citizens.
On 7/14/2013 9:03 PM, Gene Heskett wrote:
Hi all;
Thinking I'd like to have a bit of security, I followed the example for dovecot from allgoodthings.org
Guessing between the lines I made a few substitutions to localize it for me, but when I run the line to dump the configs, the output is very short because I do not have the *.pem files.
Where can a usable set of these ssl 'keyfiles' be obtained?
$ openssl genrsa -out server.key 2048 $ openssl req -sha256 -new -key server.key -out server.csr $ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt $ cat server.key server.crt > server.pem
Run the four commands. You will have a key file, certificate signing request file, a self signed cert and a pem file which is the concatenation of the key and cert (some systems need this, and some are ok with the key and cert being separate). This is everything you will need to get the server working with SSL or TLS.
The third command generates a self signed certificate. If you are playing around or this is for internal / personal use, this is ok, but if you want real security, you need to have your cert signed by a real certificate authority (CA).
If you are going to do this, the way you answer the questions in step two is important. You should do some research into the requirements of your chosen CA, but for example, the question about the state usually must be answered with the full state name, properly capitalized, and not an abbreviation. Example: "Florida" is correct, "FL" is not.
If any doubts, contact your CA first before generating your csr.
Dem
On Sun, 2013-07-14 at 21:38 -0700, Professa Dementia wrote:
On 7/14/2013 9:03 PM, Gene Heskett wrote:
Guessing between the lines I made a few substitutions to localize it for me, but when I run the line to dump the configs, the output is very short because I do not have the *.pem files.
Where can a usable set of these ssl 'keyfiles' be obtained?
$ openssl genrsa -out server.key 2048 $ openssl req -sha256 -new -key server.key -out server.csr $ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt $ cat server.key server.crt > server.pem
Run the four commands. You will have a key file, certificate signing request file, a self signed cert and a pem file which is the
simplified: (4 lines into 1)
openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout mail.pem -out mail.pem
if you want real security, you need to have your cert signed by a real certificate authority (CA).
good idea, a self sign cert is fine for playing around, however there are some situations some clients might get upset at SSC's in production, either way, if you want a free "real" certificate for your mail server (inc webmail), have a look at the offerings from startssl.com
dont know if your linked site gave you any this sicne I've just returned from a break and catching up on some 1700 posts under my list a/c :) (which most will be 'mark all as read'), but anyway
in this case use: openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout mail.key -out mail.csr
submit your csr file to startssl (or other provider), and get your mail.crt file _and_ the class1/CA files (they should offer them to you to d/l)
Typically, I keep hte key separate and would use something like
cat mail.crt /etc/ssl/CA/sub.class1.server.ca.pem /etc/ssl/CA/ca.pem > dovecot.pem
and in dovecot: ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/certs/mail.key
On Mon, 2013-07-15 at 17:58 +1000, Noel Butler wrote:
ssl_key_file = /etc/ssl/certs/mail.key
Hrmm the forced html -to- text conversion of this list (I sometimes wonder if this is 1993 not 2013) seems to have stripped out the less than bracket preceding the filename, but the actual entry would be
ssl_cert_file =
On Monday 15 July 2013 09:02:12 Noel Butler did opine:
On Mon, 2013-07-15 at 17:58 +1000, Noel Butler wrote:
ssl_key_file = /etc/ssl/certs/mail.key
Hrmm the forced html -to- text conversion of this list (I sometimes wonder if this is 1993 not 2013) seems to have stripped out the less than bracket preceding the filename, but the actual entry would be
ssl_cert_file =
Thanks. Another gotcha swatted.
Cheers, Gene
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) My web page: http://coyoteden.dyndns-free.com:85/gene is up! My views http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml no brainer: A decision which, viewed through the retrospectoscope, is "obvious" to those who failed to make it originally. A pen in the hand of this president is far more dangerous than 200 million guns in the hands of law-abiding citizens.
On Monday 15 July 2013 09:00:41 Noel Butler did opine:
On Sun, 2013-07-14 at 21:38 -0700, Professa Dementia wrote:
On 7/14/2013 9:03 PM, Gene Heskett wrote:
Guessing between the lines I made a few substitutions to localize it for me, but when I run the line to dump the configs, the output is very short because I do not have the *.pem files.
Where can a usable set of these ssl 'keyfiles' be obtained?
$ openssl genrsa -out server.key 2048 $ openssl req -sha256 -new -key server.key -out server.csr $ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt $ cat server.key server.crt > server.pem
Run the four commands. You will have a key file, certificate signing request file, a self signed cert and a pem file which is the
simplified: (4 lines into 1)
openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout mail.pem -out mail.pem
if you want real security, you need to have your cert signed by a real certificate authority (CA).
good idea, a self sign cert is fine for playing around, however there are some situations some clients might get upset at SSC's in production, either way, if you want a free "real" certificate for your mail server (inc webmail), have a look at the offerings from startssl.com
dont know if your linked site gave you any this sicne I've just returned from a break and catching up on some 1700 posts under my list a/c :) (which most will be 'mark all as read'), but anyway
in this case use: openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout mail.key -out mail.csr
submit your csr file to startssl (or other provider), and get your mail.crt file _and_ the class1/CA files (they should offer them to you to d/l)
Typically, I keep hte key separate and would use something like
cat mail.crt /etc/ssl/CA/sub.class1.server.ca.pem /etc/ssl/CA/ca.pem > dovecot.pem
and in dovecot: ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/certs/mail.key
Thank you very much, I believe that is exactly what I am looking for.
Cheers, Gene
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) My web page: http://coyoteden.dyndns-free.com:85/gene is up! My views http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml no brainer: A decision which, viewed through the retrospectoscope, is "obvious" to those who failed to make it originally. A pen in the hand of this president is far more dangerous than 200 million guns in the hands of law-abiding citizens.
On Monday 15 July 2013 14:14:38 Noel Butler did opine:
On Sun, 2013-07-14 at 21:38 -0700, Professa Dementia wrote:
On 7/14/2013 9:03 PM, Gene Heskett wrote:
Guessing between the lines I made a few substitutions to localize it for me, but when I run the line to dump the configs, the output is very short because I do not have the *.pem files.
Where can a usable set of these ssl 'keyfiles' be obtained?
$ openssl genrsa -out server.key 2048 $ openssl req -sha256 -new -key server.key -out server.csr $ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt $ cat server.key server.crt > server.pem
Run the four commands. You will have a key file, certificate signing request file, a self signed cert and a pem file which is the
simplified: (4 lines into 1)
openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout mail.pem -out mail.pem
if you want real security, you need to have your cert signed by a real certificate authority (CA).
good idea, a self sign cert is fine for playing around, however there are some situations some clients might get upset at SSC's in production, either way, if you want a free "real" certificate for your mail server (inc webmail), have a look at the offerings from startssl.com
dont know if your linked site gave you any this sicne I've just returned from a break and catching up on some 1700 posts under my list a/c :) (which most will be 'mark all as read'), but anyway
in this case use: openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout mail.key -out mail.csr
submit your csr file to startssl (or other provider), and get your mail.crt file _and_ the class1/CA files (they should offer them to you to d/l)
Typically, I keep hte key separate and would use something like
cat mail.crt /etc/ssl/CA/sub.class1.server.ca.pem /etc/ssl/CA/ca.pem > dovecot.pem
and in dovecot: ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/certs/mail.key
I got to the startssl site ok, but failed at that point because I haven't yet managed to get claws-mail to actually fetch the mail while I am booted to 12.04.2 LTS.
Chicken/egg problem. So I guess I'm stuck with SSC's ATM. And because I'm doing full shutdowns to swap drives in a hot swap cage, I am killing my new and old drives with all this powerdown rebooting. Probably 30 such cycles in the last 10 days. :(
Thank you for the help, its very much appreciated.
Cheers, Gene
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) My web page: http://coyoteden.dyndns-free.com:85/gene is up! My views http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml Q: What's yellow, and equivalent to the Axiom of Choice? A: Zorn's Lemon. A pen in the hand of this president is far more dangerous than 200 million guns in the hands of law-abiding citizens.
participants (3)
-
Gene Heskett
-
Noel Butler
-
Professa Dementia