Complete Virtual Mail Server/SSL Certificates

Introduction
With security and privacy being a increasingly important issue nowadays, Using SSL to secure the server seems like a no-brainer. Apache, Courier-imap and postfix all can be secured using SSL.

Installing SSL
SSL is a dependency and a compile time option to most packages. being the key ingredient, should be pulled in from the ssl USE flag. If it wasn't set before enable it and update all packages using it.

SNI
There are a few issues that arise when using multiple domains on a single IP. Apache has solved this issue using SNI that makes it possible to have several certificates on a single IP. Both the browser and the server need to support this however. IMAP (and POP3) nor SMTP really support this. The only real way to support multiple hosts on a single IP is have a certificate, that covers all domains. Not pretty but can work.

Obtaining an SSL Certificate
There are currently 2 and a half ways to obtain an SSL certificate. Purchase a certiciate from one of the reputable providers is an option. Using a self-signed certificate can also be done, though may have implications with warnings on users clients. The half option, which is the recommended option when not using a bought certiciate is using a certificate from cacert.org. They are working hard on getting their certificate included into the main browsers and operating systems, but most of all, it is free and gratis.

Self signed
Most applications pre-generate self signed certificates and tend to install then into /etc/ssl. A new self-signed certificate can be easily created using OpenSSL.

This should have created three files: /etc/ssl/postfix/newkey.pem, /etc/ssl/postfix/, /etc/ssl/postfix/newcrt.pem and it's accompanying CA Root certificate /etc/ssl/postfix/demoCA/cacert.pem. It is probably advised to rename them to something more logical.

CACert.org signed
CACert.org offers a simple script to assist with generating SSL certificates. The csr script should be downloaded and executed. In this example, the mail server will be called imap but will have aliases configured in dns for mail, pop, pop3, pop3s, imaps and foo. More can be added of course as fit. Note that foo was added because that is the name of the system offering the imap service. It is not named foo because the postfix or web or any other server is named foo.

This has generated a certificate sign request, which can be used by any root CA to sign with, not only CACert.org. In the case of CACert.org however, under Server Certificates there is a link named New which opens an edit box for the above certificate request. Make sure that the radio button is set to Sign by class 3 root certificate. The bit including -BEGIN CERTIFICATE REQUEST- until, including -END CERTIFICATE REQUEST- needs to be pasted into the edit field and then submitted via the submit button. The server will then verify the request and upon that generate the certificate. The certificate then needs to be copy and pasted, including the BEGIN and END markers again into a new file, named foo.example.com_crt.pem. A link to the certificate will also be e-mailed to the e-mail address bound to the ca-cert.org account.

This should leave 3 files, foo.example.com_&#91;privatekey, csr, crt&#93;.pem. This will also be the naming convention followed during the rest of this document.

Apache
Setting up Apache is already very well described elsewhere and yields a working SSL enabled webserver. Postfixadmin, if used externally, should ideally be secured such that it only works over https. Roundcube or webmail in general, can also be setup to be secured by SSL, but should or can be still open to plain http.

Roundcube has one nice option for this however, to force all incoming requests over https. This means that when a users opens http://webmail.example.com, he will get immediately redirected to https://webmail.example.com. If using a proper SSL certificate this is strongly recommended. When using a self-signed certificate, or a CA-cert.org certificate that does not have the root installed to all users, this should remain off however.

Courier-imap
If anything, securing IMAP with SSL is extremly recommended. Using a secure connection for IMAP, means that if the password is sent in plain text, this is still done over the secured IMAP connection so no issue.

Create Self-Signed Certificate
Courier-imap comes with two easy scripts to generate selfsigned SSL certificates, mkpop3dcert and mkimapdcert. These scripts parse /etc/courier-imap/pop3d.cnf and /etc/courier-imap/imapd.cnf respectively. It may be an idea to first use self signed certificates and then swap those out for signed certificates as it can make testing a little bit easier. If self-signed certificates are a must, edit the aforementioned files, otherwise the defaults will suffice.

Create Signed Certificate
Courier-imap does actually not use the three separate files as most applications do and needs them specially formatted. The file starts with the private key. {{Note|If no courier-imap directory exists in /etc/ssl, it needst o be manually created. {{RootCmd|mkdir -p /etc/ssl/courier-imap/}} {{RootCmd|cat foo.example.com_privatekey.pem > /etc/ssl/courier-imap/foo.example.com.pem}}

This then is followed by the signed certificate. {{RootCmd|cat foo.example.com_crt.pem >> /etc/ssl/courier-imap/foo.example.com.pem}}

And to the end, are Diffie-Hellman parameters added. {{RootCmd|openssl gendh 1024 >> /etc/ssl/courier-imap/foo.example.com.pem}}

The resulting file should have a contents like this. {{File|etc/ssl/courier-imap/foo.example.com.pem|imap certificate| -BEGIN PRIVATE KEY- MIIEvaasdfasdfSfasdfadfasdfasdfasdfasdfasdfasdfasdfasdsahdahhgfh asdfasdfasdfsdfsdf -BEGIN CERTIFICATE REQUEST- MIIDHTsdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfsdfasdf asdfasdfasdfasdfaswYEdpa+rdFfs= -END PRIVATE KEY- -END CERTIFICATE REQUEST- -BEGIN CERTIFICATE- MIIGhzClkjhlkjhlkjhkljhkljhkljhkljhkljhkljhlkjhkljhkljhlkjhkljhk kljhlkjhkljhlkjhlkjhlkjhkljhkljhlkjhlkjhkljhk== -END CERTIFICATE- -BEGIN DH PARAMETERS- MIGHAoGBAPF7fJnfw+VPPev9FAkf2XJNFimn4ik+zkXXuHD5t9Oke1Yx224WTocq KJ+Zv9onecK0MPYRUj8PPqqy+Q00pScW9+qPSr9T2sEG/meKjLqqA3XQf4Gwzqco SUG0PEjiYNNfe966p9E1vp6yN5+gSyu6zv9Vn+cfYY2q7d3a4x9rAgEC -END DH PARAMETERS- }}

Configure SSL
As noted above, the certificate entails both pop3 as imap hostnames and it is thus assumed pop3 and imap are running on the same IP/host. This is not required however, pop3 could be very well a different machine with the same (not advised) or its own certificate.

POP3
Starting this server should allow pop3 to work through SSL.

IMAP
Starting this server should allow imap to work through SSL.

Testing SSL
Testing becomes more difficult, as telnet can not be used anymore. The best option is to start up a mail-client such as thunderbird, configure a normal connection first to verify everything works, which should as telnet worked properly before and then enable the SSL option for the account and see it still working. The default imap-ssl port is 993. STARTTLS can be checked whether it is enabled only, via telnet, by checking for the STARTTLS Capability.

If SSL secured services now work as expected, they can be added to the default runlevel.

Securing SMTP with SSL
The certificates for use with postfix should be stored in /etc/ssl/postfix/ or if using the same certificates as with courier-imap they should be stored in /etc/ssl/postfix/. If using CACert.org, then it's root certificate needs to be used. Gentoo pre-installs the CACert.org root certificate and should be used.

Now STARTTLS can be used to use an authenticated connection over port 25. SSL/TLS support on port 465 (smtps) however should be enabled as well. Courier-imap did this automatically, postfix needs a change to master.cf.

Restart postfix to start the SSL secured daemons.

Testing
Telnet can only be minimally used for testing. Actually it can only be used to verify supported options. STARTTLS should be listed as one of the supported options.

To test if all connections work as wanted, a recent version of Thunderbird works best. When adding a new account, Thunderbird will try to connect using STARTTLS on the default port. If that would fail, or if a manual connection is tried, its possible to use SSL/TLS via the 993 and 465 ports and hit the re-test button. This should allow the account to be created using secure connections.

Wrapping it up
Once everything is working as expected, logging can be disabled again.