Working Draft-Plz dont follow by letter
Hits :
4801
Dovecot with Client Certificates
The next step after building an installation using
Dovecot with SSL[link1]
is to authenticate clients to dovecot using clients certificates. In the above howto we have ensured that
the communication via dovecot and clients are over ssl. This provide us a way to secure our network
traffic. But we can be sure about our clients. We trust them only with their username/password authentication.
We can also use the ACL plugin to add another layer of security.
But there isnt a 100% secure system or communication. We have mentioned that in the first time dovecot sends
the server certificate via an untrusted network traffic. Meaning that if someone can listen to this traffic
can easily take the dovecot server certificate and listen to the encrypted traffic after that.
There is also another way to verify our clients using x509 clients certificates.
This yet doesnt mean that we have an absolute 100% secure and encrypted traffic, but it is very close.
Mail clients can login to dovecot only when they provide a x509 client certificate that has been singed by a Trusted Certificate Authority.
Dovecot can verify the client certificate and then provide the server certificate to ensure the encrypted communication.
top
url
http://stephen.cristol.googlepages.com/introx509
openssl
mkdir -pv /opt/certificates/dovecot
cd !$
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 1825 -newkey rsa:4096
openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days 1825 -newkey rsa:4096
rm dovecot.crt
openssl req -new -key dovecot.key -out dovecot.csr
openssl x509 -req -days 1825 -in dovecot.csr -out dovecot.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key -name "dovecot Certificate Client" -out dovecot.p12
touch index.txt
echo 01 > ./crlnumber
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
cat ca.crt ca.crl > cafile
dovecot -n
# 1.2.2: /usr/local/etc/dovecot.conf
# OS: Linux 2.6.30-ARCH i686 ext4
info_log_path: /var/log/dovecot.log
protocols: imaps
ssl: required
ssl_ca_file: /opt/certificates/dovecot/cafile
ssl_cert_file: /opt/certificates/dovecot/ca.crt
ssl_key_file: /opt/certificates/dovecot/ca.key
ssl_verify_client_cert: yes
verbose_ssl: yes
login_dir: /usr/local/var/run/dovecot/login
login_executable: /usr/local/libexec/dovecot/imap-login
first_valid_uid: 300
mail_location: maildir:/var/spool/mail/%u:INBOX=/var/spool/mail/.INBOX/%u:INDEX=/var/spool/mail/.INDEX/%u:CONTROL=/var/spool/mail/.CONTROL/%u
mail_debug: yes
lda:
postmaster_address: ebalaskas@ebalaskas.gr
auth default:
verbose: yes
debug: yes
debug_passwords: yes
ssl_require_client_cert: yes
passdb:
driver: passwd-file
args: /usr/local/etc/dovecot.passdb
userdb:
driver: passwd-file
args: /usr/local/etc/dovecot.passdb
NEW openssl
# Create the certificate folder
mkdir -pv /opt/certificates/dovecot
cd !$
# Create the CA (Certificate Authority) keys
openssl req -new -x509 -nodes -out ca.crt -keyout ca.key -days 1825 -newkey rsa:4096
# Create the dovecot key
openssl req -new -nodes -keyout dovecot.key -out dovecot.csr -newkey rsa:4096
# Singed by CA
openssl x509 -req -days 1825 -in dovecot.csr -out dovecot.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial
# Export client certificate
openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key -name "dovecot Certificate Client" -out dovecot.p12
# Genereate Certificate Revocation List
touch index.txt
echo 01 > ./crlnumber
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl
cat ca.crt ca.crl > cafile
# cat ca.crt ca.srl > cafile