howtos | scripts | tips

Distroname and release: Debian Squeeze

TLS on Courier-IMAP and Courier-POP

Protecting your IMAP and POP3 daemons wih TLS are a good idea, since the password is not as likely to be "stolen".

I will use my own CA in this example.
This is actually not needed, and the daemons can run with the example certificate. If you wish to do this, it is enough just to install the package, and nothing further!

If you do not have your own CA, you can look in my other guides, on howto setup an CA. Or else you can actually use the example certificate courier comes with.(Not as professional though) :)

Install ssl support for courier-imap and courier-pop, or just one of them.

#aptitude install courier-imap-ssl courier-pop-ssl

I will only show the setup of IMAP, because the setup of TLS on POP3 is the exactly same thing.

Enable TLS for IMAP

It is required that we use an non password protected ca.key file, so if you do not have this, create it.

openssl rsa -in secure_ca.key -out insecure_ca.key

When this is done, we are ready to create the certificate we should use for courier. We will just create the certificate with the same filename as the example certificate. Doing this, we do not have to reconfigure anything. So let us backup the example certificate first (yes we like backups) :).
It is nice to have if courier is not behaving, so we can make sure that the certificate is not to blame, or is to blame.

mv /etc/courier/imapd.pem /etc/courier/imapd.pem.bak

Now the example certificate is "safe", lets create our own certificate to use.

I am a bit lazy, so I will just point you to this guide, on howto create a certificate and sign it.
http://www.linuxlasse.net/linux/howtos/24

Now, after the certificate is created, we have to make the certificate courier compliant.

cat insecure_ca.key mail_linuxlasse_net.crt > /etc/courier/imapd.pem

That should be it, now restart courier-imap-ssl, to be sure it works with the new certificate.

/etc/init.d/courier-imap-ssl restart

For addiotional settings, and tweaks the config file for courier-imap-tls is the file /etc/courier/imapd-ssl. In example STARTTLS and if it is required to use TLS security for the login. Using STARTTLS will allow clients to connect on the standard IMAP port (143). Or else clients till connect to the server on IMAP's secure port 993. Using STARTTLS will enhance the possibility for clients to connect with higher firewall restrictions.

/etc/courier/imapd-ssl
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0

Note, if the root certificate is not imported on the mail client, it will most likely warn you about the certificate. This is OK, since it is not trusted.