Installing an SSL in Courier IMAP

[golfreeze]

To Install Your SSL in Courier IMAP [ support with godaddy cert ]
 
   1. Gather your certificate files.
      Log in to your SSL Manager and download your primary and intermediate certificates. You also need your private key (your_domain.key), which was generated by your server along with your CSR.
   2. Create a combined .pem certificate file.
      Using a text editor such as Notepad, paste in the contents of the primary certificate and your private key, including the BEGIN and END tags. For example:
      -----BEGIN CERTIFICATE-----
      (Your primary certificate: your_domain.crt)
      -----END CERTIFICATE-----
      -----BEGIN RSA PRIVATE KEY-----
      (Your private key: your_domain.key)
      -----END RSA PRIVATE KEY-----
      Save the file as gdcertpack.pem
   3. Save the Go Daddy intermediate certificate.
      Copy the Go Daddy intermediate certificate into a text editor and save the file as gdca.txt
   4. Secure Courier IMAP.
      Locate and open imapd-ssl file (usually found in /usr/lib/courier-imap/etc/). Add the following directives and file locations:
          * TLS_CERTFILE=/some/path/gdcertpack.pem
          * TLS_TRUSTCERTS=/some/path/gdca.txt
      Verify that the line below allows SSLv3:
          * TLS_PROTOCOL=SSL3
   5. Secure POP3.
      Locate and open pop3d-ssl file (typically found in /usr/lib/courier-imap/etc/). Add the following directives and file locations:
          * TLS_CERTFILE=/some/path/gdcertpack.pem
          * TLS_TRUSTCERTS=/some/path/gdca.txt
   6. Verify your file permissions.
      Ensure gdcertpack.pem is readable by root only.
   7. Restart your Courier IMAP server.

Older email clients might not support SSLv3 or TLSv1. If you want to support users with old email clients, configure IMAP_TLS_REQUIRED=0 in both IMAP and POP3 files.

[golfreeze]

http://linux.m2osw.com/setting-postfixcourier-godaddy-ssl-certificate

In order to have TLS support for Postfix you need to setup several files.

First of all, you create a certificate and get it signed by GoDaddy. They have instructions for that purpose. At this time, it looks something like this:

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

The names "domain.key/csr" should match your domain name. If you are signing a specific sub-domain, you may want to include that sub-domain in the filename (i.e. mail.domain.key.)

When GoDaddy returns to you, they will give you a zip file with two files:

gd_bundle.crt
domain.com.crt

The Postfix installation requires a few flags to get things to work on that end. Something like this should work on Ubuntu. You may want to read the documentation about each one of these options before using them.

smtp_tls_loglevel = 0
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem
smtpd_tls_cert_file = /etc/postfix/tls/server.pem
smtpd_tls_key_file = /etc/postfix/tls/key.pem
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

The key.pem file is your private key. The private key starts with the line:

-----BEGIN RSA PRIVATE KEY-----

The server.pem file is a concatenation of the signed public key and GoDaddy bundle. This means:

cat domain.com.crt gd_bundle.crt >server.pem

The .crt file is a public key so it starts with:

-----BEGIN CERTIFICATE-----

The bundle helps the postfix system to find all the necessary certificates.

Once you have that done, you can create the necessary .pem files for courier. We only use IMAP3 and POP3, but I would imadigine that the SMTP file is the same. Those files include all the certificates and keys. All in one.

cat domain.key domain.com.crt gd_bundle.crt >imapd.pem
cp imapd.pem pop3d.pem

Of course, you will have to restart postfix and courier accordingly.

service postfix restart
service courier-imap-ssl restart
service courier-pop-ssl restart

[golfreeze]

Here's a quick and dirty instruction set to add a Godaddy cert (with intermediary file) to your mail server. admins, please feel free to clean this up.


# create CSR and KEY
cd /etc/ssl/private
openssl req -newkey rsa:2048 -nodes -keyout certdomain.com.key -out certdomain.com.csr

#Submit CSR to CA

#create gd_bundle.crt (replace with current)

tee /etc/ssl/private/gd_bundle.crt <<-\EOA
-----BEGIN CERTIFICATE-----
(the contents of your gd_bundle.crt file)
-----END CERTIFICATE-----
EOA

#create certdomain.com.crt (replace with new cert)

tee /etc/ssl/private/certdomain.com.crt <<-\EOA
-----BEGIN CERTIFICATE-----
(the contents of your domain.crt file)
-----END CERTIFICATE-----
EOA

#create certdomain.com.pem

cat /etc/ssl/private/certdomain.com.crt /etc/ssl/private/certdomain.com.key > /etc/ssl/private/certdomain.com.pem

#Edit /etc/courier/imapd-ssl and pop3d-ssl

TLS_CERTFILE=/etc/ssl/private/certdomain.com.pem
TLS_TRUSTCERTS=/etc/ssl/private/gd_bundle.crt

#restart imapd-ssl and pop3dssl

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

#test

openssl s_client -host 127.0.0.1 -port 993

###GET TLS on postfix.

#edit /etc/postfix/main.cf
#comment out existing lines:
#smtpd_tls_cert_file = /etc/postfix/smtpd.cert
#smtpd_tls_key_file = /etc/postfix/smtpd.key

#add the following:

smtpd_tls_key_file = /etc/ssl/private/certdomain.com.key
smtpd_tls_cert_file = /etc/ssl/private/certdomain.com.crt

#smtpd_tls_auth_only = yes #uncomment if you want only SSL connections over SMTP
smtpd_tls_CAfile = /etc/ssl/private//gd_bundle.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

#end of editing main.cf

#restart postfix

/etc/init.d/postfix restart