Dovecot/TLS
From Gentoo Linux Wiki
Contents |
[edit] Overview
This guide will show you how to enable TLS/SSL support in Dovecot 1.1, enabling you to encrypt all POP3 and IMAP communications.
This guide assumes you already have a working Dovecot installation.
[edit] Certificate Creation
This guide will not deal with certificate creation since that is already covered elsewhere. If you want an easy-to-use graphical program for managing self-signed certificates, you may wish to check out app-crypt/tinyca.
You will need to save the certificate files (there should be 2 - a key file and a certificate file) on to the server. For example, you may choose to keep yours in a directory called /etc/ssl/mycerts.
Your certificate files should be owned by root and have permissions 0600 (ie. they can only be read by root).
[edit] Package Setup
You first need to ensure that you have Dovecot compiled with SSL support. For this to happen, Dovecot needs to be compiled with the ssl USE flag.
Add the following to /etc/portage/package.use:
net-mail/dovecot ssl
[edit] Configuration
The following configuration is found in /etc/dovecot/dovecot.conf.
In the first section of the file, you need to specify the protocols that you want enabled. You probably have one or both of "imap" or "pop3" already enabled. You need to add the secure version of the protocols you use to this list. For example, if you use both, this would be:
protocols = imap pop3 imaps pop3s
The following settings are in the section marked SSL settings.
You now want to tell Dovecot where to find your certificate files. This example uses files stored in /etc/ssl/mycerts and the key and certificate files are respectively called mail.example.org-key.pem and mail.example.org-cert.pem.
ssl_cert_file = /etc/ssl/mycerts/mail.example.org-cert.pem ssl_key_file = /etc/ssl/mycerts/mail.example.org-key.pem
You also need to tell Dovecot the passphrase needed to decrypt the key file:
ssl_key_password = <your key passphrase here>
