linux:email:cyrus:cyrus

Inhaltsverzeichnis

TLS, IMAP over SSL (imaps) and pop3 over SSL (pop3s)
TLS
SSL for imap - imaps
Testing
- imaps

TLS, IMAP over SSL (imaps) and pop3 over SSL (pop3s)

TLS

Modify / append the TLS-settings in /etc/imap.conf:

#--- SSL/TLS setting ---#
tls_ca_path: /etc/ssl/certs
tls_ca_file: /etc/ssl/certs/ca_cert.pem
tls_cert_file: /etc/ssl/certs/station7_cert.pem
tls_key_file: /etc/ssl/private/station7_key.pem

SSL for imap - imaps

Modify / append the SSL-settings in /etc/cyrus.conf and deactivate the unencrypted protocols.

SERVICES {
  imaplocal     cmd="imapd -C /etc/imapd-local.conf" listen="localhost:imap" prefork=0
  imaps         cmd="imapd -s" listen="imaps" prefork=0
  sieve                cmd="timsieved -C /etc/imapd-local.conf listen="sieve" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/spool/postfix/public/lmtp" prefork=1
}
* Since the Cyrus-managementtool "cyradm" cannot use SSL or TLS, you have to define also a "normal" imap-service, which you can secure by only let it bind on localhost. For this imap-service you have to define a additional config-file e.g. /etc/imapd-local.conf which has no SSL, TLS and noplaintext settings in it.
* Since SIEVE can only use STARTTLS and no SSL or TLSv1, you need to define as config-file also

Modify settings in /etc/imapd.conf:

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/sieve
admins: cyrus
allowplaintext: no
autocreatequota: 100000
reject8bit: no
quotawarn: 70
timeout: 300
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_minimum_layer: 128
sasl_mech_list: PLAIN LOGIN
lmtp_overquota_perm_failure: yes
lmtp_downcase_rcpt: yes
lmtpsocket: /var/spool/postfix/public/lmtp
tls_ca_path: /etc/ssl/certs
tls_ca_file: /etc/ssl/certs/ca_cert.pem
tls_cert_file: /etc/ssl/certs/groupware_cert.pem
tls_key_file: /etc/ssl/private/groupware_key.pem
tls_cipher_list: TLSv1:STARTTLS:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

/etc/imapd-local.conf:

postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
sievedir: /var/lib/sieve
#sieve_maxscriptsize: 32
#sieve_maxscript: 5
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
autocreatequota: 100000
reject8bit: no
quotawarn: 70
timeout: 300
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
#sasl_minimum_layer: 128
sasl_mech_list: PLAIN LOGIN
lmtp_overquota_perm_failure: yes
lmtp_downcase_rcpt: yes
lmtpsocket: /var/spool/postfix/public/lmtp

After all the above modifications to the Cyrus-configuration, restart cyrus and watch carefully the output in /var/log/messages !

Testing

imaps

Use a portscanner like „nmap“:

station7:/etc/init.d # nmap localhost | grep imap
993/tcp  open  imaps

→ imaps is running at port 993
Test MECH=LOGIN:
station7:/ # imtest -a root -u root -m LOGIN station7.example.com -s

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK groupware-test Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN root {6}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 256

Test MECH=PLAIN:

station7:/ # imtest -a root -u root -m PLAIN station7.example.com -s
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK groupware-test Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: A01 AUTHENTICATE PLAIN cm9vdAByb290AHZyMjAweA==
S: A01 OK Success (tls protection)
Authenticated.
Security strength factor: 256

You can additionally watch the output of ssldump:

ssldump -d -i lo -k /etc/ssl/private/station7_key.pem port 993

← zurück