TLS, IMAP over SSL (imaps) and pop3 over SSL (pop3s)
TLS
Modify / append the TLS-settings in /etc/imap.conf:
#--- SSL/TLS setting ---# tls_ca_path: /etc/ssl/certs tls_ca_file: /etc/ssl/certs/ca_cert.pem tls_cert_file: /etc/ssl/certs/station7_cert.pem tls_key_file: /etc/ssl/private/station7_key.pem
SSL for imap - imaps
Modify / append the SSL-settings in /etc/cyrus.conf and deactivate the unencrypted protocols.
SERVICES {
imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="localhost:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
sieve cmd="timsieved -C /etc/imapd-local.conf listen="sieve" prefork=0
lmtpunix cmd="lmtpd" listen="/var/spool/postfix/public/lmtp" prefork=1
}
* Since the Cyrus-managementtool "cyradm" cannot use SSL or TLS, you have to define also a "normal" imap-service, which you can secure by only let it bind on localhost. For this imap-service you have to define a additional config-file e.g. /etc/imapd-local.conf which has no SSL, TLS and noplaintext settings in it.
* Since SIEVE can only use STARTTLS and no SSL or TLSv1, you need to define as config-file also
Modify settings in /etc/imapd.conf:
configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve admins: cyrus allowplaintext: no autocreatequota: 100000 reject8bit: no quotawarn: 70 timeout: 300 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd sasl_minimum_layer: 128 sasl_mech_list: PLAIN LOGIN lmtp_overquota_perm_failure: yes lmtp_downcase_rcpt: yes lmtpsocket: /var/spool/postfix/public/lmtp tls_ca_path: /etc/ssl/certs tls_ca_file: /etc/ssl/certs/ca_cert.pem tls_cert_file: /etc/ssl/certs/groupware_cert.pem tls_key_file: /etc/ssl/private/groupware_key.pem tls_cipher_list: TLSv1:STARTTLS:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
/etc/imapd-local.conf:
postmaster: postmaster configdirectory: /var/lib/imap partition-default: /var/spool/imap sievedir: /var/lib/sieve #sieve_maxscriptsize: 32 #sieve_maxscript: 5 admins: cyrus allowanonymouslogin: no allowplaintext: yes autocreatequota: 100000 reject8bit: no quotawarn: 70 timeout: 300 poptimeout: 10 dracinterval: 0 drachost: localhost sasl_pwcheck_method: saslauthd #sasl_minimum_layer: 128 sasl_mech_list: PLAIN LOGIN lmtp_overquota_perm_failure: yes lmtp_downcase_rcpt: yes lmtpsocket: /var/spool/postfix/public/lmtp
After all the above modifications to the Cyrus-configuration, restart cyrus and watch carefully the output in /var/log/messages !
Testing
imaps
Use a portscanner like „nmap“:
station7:/etc/init.d # nmap localhost | grep imap 993/tcp open imaps
→ imaps is running at port 993
Test MECH=LOGIN:
station7:/ # imtest -a root -u root -m LOGIN station7.example.com -s
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits)
S: * OK groupware-test Cyrus IMAP4 v2.2.12 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE
S: C01 OK Completed
Please enter your password:
C: L01 LOGIN root {6}
S: + go ahead
C: <omitted>
S: L01 OK User logged in
Authenticated.
Security strength factor: 256
Test MECH=PLAIN:
station7:/ # imtest -a root -u root -m PLAIN station7.example.com -s verify error:num=20:unable to get local issuer certificate verify error:num=21:unable to verify the first certificate TLS connection established: TLSv1 with cipher AES256-SHA (256/256 bits) S: * OK groupware-test Cyrus IMAP4 v2.2.12 server ready C: C01 CAPABILITY S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE IDLE AUTH=LOGIN AUTH=PLAIN SASL-IR X-NETSCAPE S: C01 OK Completed Please enter your password: C: A01 AUTHENTICATE PLAIN cm9vdAByb290AHZyMjAweA== S: A01 OK Success (tls protection) Authenticated. Security strength factor: 256
You can additionally watch the output of ssldump:
ssldump -d -i lo -k /etc/ssl/private/station7_key.pem port 993
← zurück