Adam Sweet's Wiki

User Tools

Site Tools

Trace:
using_ssl_with_exim_4_on_debian

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
using_ssl_with_exim_4_on_debian [2009/07/03 17:29]
adam 		using_ssl_with_exim_4_on_debian [2016/11/25 22:38] (current)
Line 1: Line 1:
-===== Using SSL with Exim 4 on Debian =====+===== Using SSL with Exim 4 and Courier IMAP/POP3 on Debian ===== 
 + 
 +Here I will be setting up SSL keys with Exim 4 and Courier IMAP and POP3 under Debian to secure the sending and retrieval of emails and username and password details to my server. 
 + 
 +I will be using SSL certificates from [[http://www.cacert.org/|CA Cert]] as they are free. CA Cert are not a commercial 'paid-for' certificate provider and so their keys will not automatically be installed in your web browser or mail client. You will need to install their root keys on every machine you wish to connect from over SSL to your machines which use CA Cert keys to avoid irritating errors. If you want to avoid this hassle or you want commercial grade support (and perhaps some insurance), go with a commercial SSL certificate provider like Thawte, Verizon or Comodo. By installing the CA Cert root keys, you are agreeing to the fact that you trust CA Cert to be secure and to verify your own keys against. In terms of commercial liability, this might not be something you want to do. 
 + 
 +If you want to use a commercial SSL provider, then this should still work for you, but the CA Cert specific stuff will need to be translated to apply to your own provider. Of course in that case, you won't need to import the CA Cert root keys either. 
 + 
 +Using SSL to secure SMTP, POP3 and IMAP means all of the sending and receiving of email between your mail client and server will be encrypted as will your username and password. Sending and receiving of mail between mail servers will only be encrypted if both ends support it and are configured to use it as a preference. You will have no control over whether other people's mail servers do so, so there are no guarantees of complete end to end encrypted transmission. If that's what you want, you would be better off encrypting your email before sending using [[http://www.pgp.com/|PGP]] or [[http://www.gnupg.org/|GPG]]. For Thunderbird users like me, you can use the [[http://enigmail.mozdev.org/home/index.php|Enigmail]] extension which works with GPG and possibly PGP.
  
 ==== Set up a CA Cert Account ==== ==== Set up a CA Cert Account ====
Line 38: Line 46:
   MAIN_TLS_ENABLE = true   MAIN_TLS_ENABLE = true
  
-The above is described [[http://wiki.cacert.org/wiki/Exim4Configuration|here]], [[http://wiki.exim.org/EximServerSslCertificate|here]] and [[http://edin.no-ip.com/content/exim4-courier-ssl-debian-etch-mini-howto|here]].+The above is described [[http://wiki.cacert.org/wiki/Exim4Configuration|here]], [[http://wiki.exim.org/EximServerSslCertificate|here]] and [[http://edin.no-ip.com/content/exim4-courier-ssl-debian-etch-mini-howto|here]] (note the file paths to the keys in these links are wrong, use mine).
  
 Edit /etc/default/exim4 and modify the relevent line to be: Edit /etc/default/exim4 and modify the relevent line to be:
Line 65: Line 73:
 No instructions here, you should be able to figure this out. Watch your Exim logs for errors if you can't get your mail through. In a corporate environment you might be behind a firewall which doesn't allow you to connect out on TCP port 465, so if it fails and nothing is logged either by your Exim daemon or the firewall on or in front of your mail server, then consider your local firewall restricting outgoing access. No instructions here, you should be able to figure this out. Watch your Exim logs for errors if you can't get your mail through. In a corporate environment you might be behind a firewall which doesn't allow you to connect out on TCP port 465, so if it fails and nothing is logged either by your Exim daemon or the firewall on or in front of your mail server, then consider your local firewall restricting outgoing access.
  
-It should work though. If it does then you're done :) Just be sure to keep an eye on when your certificate expires because you'll need to renew it before then or you'll start getting errors.+It should work though. If it does then you're done :) Just be sure to keep an eye on when your certificate expires because you'll need to renew it before then or you'll start getting errors and remember that CA Cert are not an official, paid for certificate providerYou will need to install their root keys on every machine you wish to connect over SSL from to avoid irritating errors. 
 + 
 +==== Setting Up Courier IMAP and POP3 for SSL ==== 
 + 
 +You already have an SSL certificate for your hostname, so there's little point in making a new one. You should already have courier-imap and courier-pop3 installed, if you don't and you are collecting your mail over IMAP or POP3, then you must be using some other POP or IMAP daemon like Dovecot or something. I can't help you there, I'm using Courier. For IMAP and POP3 over SSL with Courier, you should also have courier-imap-ssl and courier-pop3-ssl installed, if you don't, install them now. 
 + 
 +Courier expects your certificate and key in a single file. Use the following to make a single file which contains both, substitute 'hostname' for the common name you gave when creating your SSL certificate: 
 + 
 +  cat /etc/exim4/exim.crt /etc/exim4/exim.key > /etc/courier/hostname.pem 
 + 
 +Now edit both /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl and search for the TLS_CERTFILE directive, change this in each file to: 
 + 
 +  TLS_CERTFILE=/etc/courier/hostname.pem 
 + 
 +Save the file and restart both the courier-imap-ssl and courier-pop3d-ssl daemons: 
 + 
 +  /etc/init.d/courier-imap-ssl restart 
 +  /etc/init.d/courier-pop-ssl restart 
 + 
 +Keep an eye open for any errors or daemons failing to restart. if there are any problems, check /var/log/mail.err. 
 + 
 +Your courier SSL daemons should now be using your certificate so you need to open up TCP ports 993 and 995 for IMAPS and POP3S respectively. Add the following IP Tables rules, however you manage your filewall and be sure to make them survive a reboot: 
 + 
 +  iptables -A INPUT -p tcp -d mailserverip --dport 993 -j ACCEPT 
 +  iptables -A INPUT -p tcp -d mailserverip --dport 995 -j ACCEPT 
 + 
 +==== Setting Up Your Mail Client for IMAP and POP3 for SSL ==== 
 + 
 +In Thunderbird, go into your account settings, then Server Settings and tick the SSL box in the Security Settings section. Now try to access your mail. It should work. If not, check /var/log/mail.err on the server and make sure you opened the firewall rules. Otherwise, you're all set and all of your communication with your mail server will be done over SSL :-)
  
 ==== Links ==== ==== Links ====
using_ssl_with_exim_4_on_debian.1246638567.txt.gz · Last modified: 2016/11/25 22:38 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki