{{:suse.png}}
=== TLS, IMAP over SSL (imaps) and pop3 over SSL (pop3s) ===

=== TLS ===
Modify / append the TLS-settings in **/etc/imap.conf:**
  #--- SSL/TLS setting ---#
  tls_ca_path: /etc/ssl/certs
  tls_ca_file: /etc/ssl/certs/ca_cert.pem
  tls_cert_file: /etc/ssl/certs/station7_cert.pem
  tls_key_file: /etc/ssl/private/station7_key.pem
\\ 
=== SSL for imap - imaps ===
Modify / append the SSL-settings in **/etc/cyrus.conf** and deactivate the unencrypted protocols.\\ 
  SERVICES {
    imaplocal     cmd="imapd -C /etc/imapd-local.conf" listen="localhost:imap" prefork=0
    imaps         cmd="imapd -s" listen="imaps" prefork=0
    sieve                cmd="timsieved -C /etc/imapd-local.conf listen="sieve" prefork=0
    lmtpunix      cmd="lmtpd" listen="/var/spool/postfix/public/lmtp" prefork=1
  }
  * Since the Cyrus-managementtool "cyradm" cannot use SSL or TLS, you have to define also a "normal" imap-service, which you can secure by only let it bind on localhost. For this imap-service you have to define a additional config-file e.g. /etc/imapd-local.conf which has no SSL, TLS and noplaintext settings in it.
  * Since SIEVE can only use STARTTLS and no SSL or TLSv1, you need to define as config-file also
\\ 
\\ 
Modify settings in **/etc/imapd.conf:**
  configdirectory: /var/lib/imap
  partition-default: /var/spool/imap
  sievedir: /var/lib/sieve
  admins: cyrus
  allowplaintext: no
  autocreatequota: 100000
  reject8bit: no
  quotawarn: 70
  timeout: 300
  poptimeout: 10
  dracinterval: 0
  drachost: localhost
  sasl_pwcheck_method: saslauthd
  sasl_minimum_layer: 128
  sasl_mech_list: PLAIN LOGIN
  lmtp_overquota_perm_failure: yes
  lmtp_downcase_rcpt: yes
  lmtpsocket: /var/spool/postfix/public/lmtp
  tls_ca_path: /etc/ssl/certs
  tls_ca_file: /etc/ssl/certs/ca_cert.pem
  tls_cert_file: /etc/ssl/certs/groupware_cert.pem
  tls_key_file: /etc/ssl/private/groupware_key.pem
  tls_cipher_list: TLSv1:STARTTLS:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
\\ 
**/etc/imapd-local.conf:**
  postmaster: postmaster
  configdirectory: /var/lib/imap
  partition-default: /var/spool/imap
  sievedir: /var/lib/sieve
  #sieve_maxscriptsize: 32
  #sieve_maxscript: 5
  admins: cyrus
  allowanonymouslogin: no
  allowplaintext: yes
  autocreatequota: 100000
  reject8bit: no
  quotawarn: 70
  timeout: 300
  poptimeout: 10
  dracinterval: 0
  drachost: localhost
  sasl_pwcheck_method: saslauthd
  #sasl_minimum_layer: 128
  sasl_mech_list: PLAIN LOGIN
  lmtp_overquota_perm_failure: yes
  lmtp_downcase_rcpt: yes
  lmtpsocket: /var/spool/postfix/public/lmtp

\\ 
**After all the above modifications to the Cyrus-configuration, restart cyrus and watch carefully the output in /var/log/messages !** \\ 
\\ 

=== Testing ===

== imaps ==
Use a portscanner like "nmap":
  station7:/etc/init.d # nmap localhost | grep imap
  993/tcp  open  imaps
\\ 
**-> imaps is running at port 993**
\\
Test MECH=LOGIN: \\  
  station7:/ # imtest -a root -u root -m LOGIN station7.example.com -s
  verify error:num=20:unable to get local issuer certificate
  verify error:num=21:unable to verify the first certificate
  TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
  S: * OK groupware-test Cyrus IMAP4 v2.2.12 server ready
  C: C01 CAPABILITY
  S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
  S: C01 OK Completed
  Please enter your password:
  C: L01 LOGIN root {6}
  S: + go ahead
  C: <omitted>
  S: L01 OK User logged in
  Authenticated.
  Security strength factor: 256
\\ 
Test MECH=PLAIN: \\ 
  station7:/ # imtest -a root -u root -m PLAIN station7.example.com -s
  verify error:num=20:unable to get local issuer certificate
  verify error:num=21:unable to verify the first certificate
  TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
  S: * OK groupware-test Cyrus IMAP4 v2.2.12 server ready
  C: C01 CAPABILITY
  S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
  S: C01 OK Completed
  Please enter your password:
  C: A01 AUTHENTICATE PLAIN cm9vdAByb290AHZyMjAweA==
  S: A01 OK Success (tls protection)
  Authenticated.
  Security strength factor: 256
\\ 
You can additionally watch the output of ssldump:
  ssldump -d -i lo -k /etc/ssl/private/station7_key.pem port 993
\\ 
\\ 
<- [[linux:email:email|zurück]]