User Tools

Site Tools


using_ssl_with_exim_4_on_debian

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
using_ssl_with_exim_4_on_debian [2009/07/06 14:51]
adam
using_ssl_with_exim_4_on_debian [2016/11/25 22:38] (current)
Line 1: Line 1:
-===== Using SSL with Exim 4 on Debian =====+===== Using SSL with Exim 4 and Courier IMAP/POP3 on Debian =====
  
-Here I will be setting up SSL keys with Exim 4 under Debian to secure the transmission of emails and username and password details to my server.+Here I will be setting up SSL keys with Exim 4 and Courier IMAP and POP3 under Debian to secure the sending and retrieval of emails and username and password details to my server.
  
 I will be using SSL certificates from [[http://www.cacert.org/|CA Cert]] as they are free. CA Cert are not a commercial 'paid-for' certificate provider and so their keys will not automatically be installed in your web browser or mail client. You will need to install their root keys on every machine you wish to connect from over SSL to your machines which use CA Cert keys to avoid irritating errors. If you want to avoid this hassle or you want commercial grade support (and perhaps some insurance), go with a commercial SSL certificate provider like Thawte, Verizon or Comodo. By installing the CA Cert root keys, you are agreeing to the fact that you trust CA Cert to be secure and to verify your own keys against. In terms of commercial liability, this might not be something you want to do. I will be using SSL certificates from [[http://www.cacert.org/|CA Cert]] as they are free. CA Cert are not a commercial 'paid-for' certificate provider and so their keys will not automatically be installed in your web browser or mail client. You will need to install their root keys on every machine you wish to connect from over SSL to your machines which use CA Cert keys to avoid irritating errors. If you want to avoid this hassle or you want commercial grade support (and perhaps some insurance), go with a commercial SSL certificate provider like Thawte, Verizon or Comodo. By installing the CA Cert root keys, you are agreeing to the fact that you trust CA Cert to be secure and to verify your own keys against. In terms of commercial liability, this might not be something you want to do.
Line 7: Line 7:
 If you want to use a commercial SSL provider, then this should still work for you, but the CA Cert specific stuff will need to be translated to apply to your own provider. Of course in that case, you won't need to import the CA Cert root keys either. If you want to use a commercial SSL provider, then this should still work for you, but the CA Cert specific stuff will need to be translated to apply to your own provider. Of course in that case, you won't need to import the CA Cert root keys either.
  
-I hope to expand this guide with how to configure Courier POP3 and IMAP to use SSL too, which means all of the sending and receiving of email between your mail client and server will be encrypted. Sending and receiving of mail between mail servers will only be encrypted if both ends support it and are configured to use it as a preference. You will have no control over whether other people's mail servers do so, so there are no guarantees of complete end to end encrypted transmission. If that's what you want, you would be better off encrypting your email before sending using [[http://www.pgp.com/|PGP]] or [[http://www.gnupg.org/|GPG]]. For Thunderbird users like me, you can use the [[http://enigmail.mozdev.org/home/index.php|Enigmail]] extension which works with GPG and possibly PGP.+Using SSL to secure SMTP, POP3 and IMAP means all of the sending and receiving of email between your mail client and server will be encrypted as will your username and password. Sending and receiving of mail between mail servers will only be encrypted if both ends support it and are configured to use it as a preference. You will have no control over whether other people's mail servers do so, so there are no guarantees of complete end to end encrypted transmission. If that's what you want, you would be better off encrypting your email before sending using [[http://www.pgp.com/|PGP]] or [[http://www.gnupg.org/|GPG]]. For Thunderbird users like me, you can use the [[http://enigmail.mozdev.org/home/index.php|Enigmail]] extension which works with GPG and possibly PGP.
  
 ==== Set up a CA Cert Account ==== ==== Set up a CA Cert Account ====
Line 75: Line 75:
 It should work though. If it does then you're done :) Just be sure to keep an eye on when your certificate expires because you'll need to renew it before then or you'll start getting errors and remember that CA Cert are not an official, paid for certificate provider. You will need to install their root keys on every machine you wish to connect over SSL from to avoid irritating errors. It should work though. If it does then you're done :) Just be sure to keep an eye on when your certificate expires because you'll need to renew it before then or you'll start getting errors and remember that CA Cert are not an official, paid for certificate provider. You will need to install their root keys on every machine you wish to connect over SSL from to avoid irritating errors.
  
-Now you're registered+==== Setting Up Courier IMAP and POP3 for SSL ==== 
 + 
 +You already have an SSL certificate for your hostname, so there's little point in making a new one. You should already have courier-imap and courier-pop3 installed, if you don't and you are collecting your mail over IMAP or POP3, then you must be using some other POP or IMAP daemon like Dovecot or something. I can't help you there, I'm using Courier. For IMAP and POP3 over SSL with Courier, you should also have courier-imap-ssl and courier-pop3-ssl installed, if you don't, install them now. 
 + 
 +Courier expects your certificate and key in a single file. Use the following to make a single file which contains both, substitute 'hostname' for the common name you gave when creating your SSL certificate: 
 + 
 +  cat /etc/exim4/exim.crt /etc/exim4/exim.key > /etc/courier/hostname.pem 
 + 
 +Now edit both /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl and search for the TLS_CERTFILE directive, change this in each file to: 
 + 
 +  TLS_CERTFILE=/etc/courier/hostname.pem 
 + 
 +Save the file and restart both the courier-imap-ssl and courier-pop3d-ssl daemons: 
 + 
 +  /etc/init.d/courier-imap-ssl restart 
 +  /etc/init.d/courier-pop-ssl restart 
 + 
 +Keep an eye open for any errors or daemons failing to restart. if there are any problems, check /var/log/mail.err. 
 + 
 +Your courier SSL daemons should now be using your certificate so you need to open up TCP ports 993 and 995 for IMAPS and POP3S respectively. Add the following IP Tables rules, however you manage your filewall and be sure to make them survive a reboot: 
 + 
 +  iptables -A INPUT -p tcp -d mailserverip --dport 993 -j ACCEPT 
 +  iptables -A INPUT -p tcp -d mailserverip --dport 995 -j ACCEPT 
 + 
 +==== Setting Up Your Mail Client for IMAP and POP3 for SSL ==== 
 + 
 +In Thunderbird, go into your account settings, then Server Settings and tick the SSL box in the Security Settings section. Now try to access your mail. It should work. If not, check /var/log/mail.err on the server and make sure you opened the firewall rules. Otherwise, you're all set and all of your communication with your mail server will be done over SSL :-)
  
 ==== Links ==== ==== Links ====
using_ssl_with_exim_4_on_debian.1246888280.txt.gz · Last modified: 2016/11/25 22:38 (external edit)