[Dovecot] SSL comunication problems with client side.

Denis Iskandarov d.iskandarov at gmail.com
Tue Jun 14 11:52:37 EEST 2011 

i want users to login with username and password, but be sure that
whole traffic betwen clint/server would be encrypted.
after reading mailing list and google finally just a momment ago i
have fixed problem with certs and this 2 options.
my problem was in crl and i didnt understood how is should follow
cacert. here is mini howto for openssl usage on mail server. please
include in wiki, it will help many others!!!

0. prepare environment for openssl
mkdir /etc/pki/CA/newcerts
mkdir /etc/pki/CA/crl
cd /etc/pki/CA
echo 01 > serial
touch index.txt
echo 01 > crlnumber
ln -s /etc/pki/tls/openssl.cnf openssl.cnf
Edit /etc/pki/tls/openssl.cnf
change CA directory to /etc/pki/CA
change nsComment to whatever you want
change other settings you want (default variables for certs)

1. Make your own CA
openssl req -new -x509 -extensions v3_ca -utf8 -newkey rsa:2048 -sha1
-keyout private/cakey.pem -out cacert.pem -days 3650 -config
./openssl.cnf

2. Make default CRL
openssl ca -gencrl -crlexts crl_ext -md sha1 -utf8 -config
./openssl.cnf -crldays 30 -out crl/crl.pem

3. combine your root cert with default empty CRL
cat cacert.pem ./crl/crl.pem > cacrl.pem

4. make request for mail server certificate
mkdir mail
openssl req -new -nodes -newkey rsa:2048 -sha1 -utf8 -out
mail/mail.req -keyout mail/mail.key -config ./openssl.cnf

5. issue certificate
openssl ca -out mail/mail.pem -md sha1 -utf8 -days 3650 -config
./openssl.cnf -infiles mail/mail.req

6. convert root certificate to DER format
openssl x509 -in cacert.pem -outform DER -out company.root.cert.der

7. convert mail cert into windows readable format PKCS#12. (or convert
it to same .der format to secure key file)
openssl pkcs12 -export -out mail/mail.p12 -inkey mail/mail.key -in
mail/mail.pem -name "MyCompany Mail Server"

8. Give company.root.cert.der and mail.p12 certs to client for
integration with his application (outlook, thunderbird, etc ...)

9. Edit your Dovecot ssl configuration and tell him location of cert files.
ssl_cert = </etc/pki/CA/mail/mail.pem
ssl_key = </etc/pki/CA/mail/mail.key
ssl_ca = </etc/pki/CA/cacrl.pem

PS.: Btw hope to receive answers on other questions from my very first post.
Regards.

On Tue, Jun 14, 2011 at 12:13 PM, Willie Gillespie
<wgillespie+dovecot at es2eng.com> wrote:
> On 6/13/2011 8:44 AM, Denis Iskandarov wrote:
>>
>> I've tried next thing:
>> ssl = required
>> ssl_verify_client_cert = no
>> auth_ssl_require_client_cert = no
>>
>> And began getting emails.
>> Successful logs attached. But i cant understand if data was passed with
>> TLS.
>> How can i enable those 2 options "ssl_verify_client_cert",
>> "auth_ssl_require_client_cert" and get em working ?
>
> So do you want the client to authenticate with a certificate, or a username
> and password?
>
> If you set up SSL on the server then things will be encrypted between the
> client and server similar to how HTTPS works (only the server presents a
> certificate).
>
> ssl_verify_client_cert, and auth_ssl_require_client_cert also expects for
> the client to present its own certificate to the server.  So there would be
> a certificate for the server and one for each client in that case.
>
> Willie
>

More information about the dovecot mailing list