jueves, 12 de junio de 2008

SSL Dovecot

Notas sencillas sobre como configurar Dovecot con SSL.

1.- Descargamos el fichero http://dovecot.org/doc/mkcert.sh
#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
SSLDIR=${SSLDIR-/etc/ssl}
OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf}

CERTDIR=$SSLDIR/certs
KEYDIR=$SSLDIR/private

CERTFILE=$CERTDIR/dovecot.pem
KEYFILE=$KEYDIR/dovecot.pem

if [ ! -d $CERTDIR ]; then
echo "$SSLDIR/certs directory doesn't exist"
exit 1
fi

if [ ! -d $KEYDIR ]; then
echo "$SSLDIR/private directory doesn't exist"
exit 1
fi

if [ -f $CERTFILE ]; then
echo "$CERTFILE already exists, won't overwrite"
exit 1
fi

if [ -f $KEYFILE ]; then
echo "$KEYFILE already exists, won't overwrite"
exit 1
fi

$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
chmod 0600 $KEYFILE
echo
$OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2

2.- Creamos el fichero /etc/dovecot/dovecot-openssl.cnf
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=ES

# State or Province Name (full name)
ST=Madrid

# Locality Name (eg. city)
L=Leganes

# Organization (eg. company)
O=ISIDISI

# Organizational Unit Name (eg. section)
OU=IMAP SSL Server

# Common Name (*.example.com is also possible)
CN=imap.isidisi.com

# E-mail contact
emailAddress= info@isidisi.com

[ cert_type ]
nsCertType = server

3.- Hacemos backup de los certificados que vienen por defecto en Dovecot:
mv /etc/ssl/private/dovecot.pem /etc/ssl/private/dovecot.pem.bak
mv /etc/ssl/certs/dovecot.pem /etc/ssl/certs/dovecot.pem.bak

4.- Modificamos /etc/dovecot/dovecot.conf

protocols = imap imaps
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem

5.- Reiniciamos dovecot
[root@imap.isidisi.com] /etc/init.d/dovecot restart
Restarting mail server: dovecot.

No hay comentarios: