Dovecot SSL configuration
=========================
The most important SSL settings are:
---%<-------------------------------------------------------------------------
ssl = yes
# Preferred permissions: root:root 0444
ssl_cert = </etc/ssl/certs/dovecot.pem
# Preferred permissions: root:root 0400
ssl_key = </etc/ssl/private/dovecot.pem
---%<-------------------------------------------------------------------------
The certificate file can be world-readable, since it doesn't contain anything
sensitive (in fact it's sent to each connecting SSL client). The key file's
permissions should be restricted to only root (and possibly ssl-certs group or
similar if your OS uses such). Dovecot opens both of these files while still
running as root, so you don't need to give Dovecot any special permissions to
read them (in fact:*do not give dovecot user any permissions to the key file*).
It's possible to keep the certificate and the key both in the same file:
---%<-------------------------------------------------------------------------
# Preferred permissions: root:root 0400
ssl_cert = </etc/ssl/dovecot.pem
ssl_key = </etc/ssl/dovecot.pem
---%<-------------------------------------------------------------------------
It's also possible to use different certificates for IMAP and POP3:
---%<-------------------------------------------------------------------------
protocol imap {
ssl_cert = </etc/ssl/certs/imap.pem
ssl_key = </etc/ssl/private/imap.pem
}
protocol pop3 {
ssl_cert = </etc/ssl/certs/pop3.pem
ssl_key = </etc/ssl/private/pop3.pem
}
---%<-------------------------------------------------------------------------
There are a couple of different ways to specify when SSL/TLS is required:
* 'disable_plaintext_auth=yes' allows <plaintext authentication>
[Authentication.Mechanisms.txt] only when SSL/TLS is used first.
* 'ssl = required' requires SSL/TLS also for <non-plaintext authentication>
[Authentication.Mechanisms.txt].
* If you have only plaintext mechanisms enabled ('auth { mechanisms = plain
login }'), you can use either (or both) of the above settings. They behave
exactly the same way then.
Multiple SSL certificates
-------------------------
TLS SNI (Server Name Indication) support required
-------------------------------------------------
/It is important to note that having multiple SSL certificates per IP will not
be compatible with all clients, especially mobile ones. It is a TLS SNI
limitation./
---%<-------------------------------------------------------------------------
local_name imap.example.org {
ssl_cert = </etc/ssl/certs/imap.example.org.crt
ssl_key = </etc/ssl/private/imap.example.org.key
}
local_name imap.example2.org {
ssl_cert = </etc/ssl/certs/imap.example2.org.crt
ssl_key = </etc/ssl/private/imap.example2.org.key
}
# ..etc..
---%<-------------------------------------------------------------------------
Different certificates per IP and protocol
------------------------------------------
---%<-------------------------------------------------------------------------
local 192.0.2.10 {
protocol imap {
ssl_cert = </etc/ssl/dovecot/imap-01.example.com.cert.pem
ssl_key = </etc/ssl/dovecot/imap-01.example.com.key.pem
}
protocol pop3 {
ssl_cert = </etc/ssl/dovecot/pop-01.example.com.cert.pem
ssl_key = </etc/ssl/dovecot/pop-01.example.com.key.pem
}
}
local 192.0.2.20 {
protocol imap {
ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
}
protocol pop3 {
ssl_cert = </etc/ssl/dovecot/pop-02.example.com.cert.pem
ssl_key = </etc/ssl/dovecot/pop-02.example.com.key.pem
}
}
---%<-------------------------------------------------------------------------
Password protected key files
----------------------------
SSL key files may be password protected. There are two ways to provide Dovecot
with the password:
1. Starting Dovecot with 'dovecot -p' asks the password. It's not stored
anywhere, so this method prevents Dovecot from starting automatically at
startup.
2. 'ssl_key_password' setting. Note that 'dovecot.conf' is by default
world-readable, so you probably shouldn't place it there directly. Instead
you could store it in a different file, such as '/etc/dovecot-private.conf'
containing:
---%<---------------------------------------------------------------------
ssl_key_password = secret
---%<---------------------------------------------------------------------
and then use '!include_try /etc/dovecot-private.conf' in the main
'dovecot.conf'.
Chained SSL certificates
------------------------
Put all the certificates in the 'ssl_cert' file. For example when using a
certificate signed by TDC the correct order is:
1. Dovecot's public certificate
2. TDC SSL Server CA
3. TDC Internet Root CA
4. Globalsign Partners CA
SSL security settings
---------------------
When Dovecot starts up for the first time, it generates new 512bit and 1024bit
Diffie Hellman parameters and saves them into
'<prefix>/var/lib/dovecot/ssl-parameters.ssl'. After the initial creation
they're by default regenerated every week. With newer computers the generation
shouldn't take more than a few seconds, but with older computers it can take as
long as half an hour. The extra security gained by the regeneration is quite
small, so with slower computers you might want to disable it:
---%<-------------------------------------------------------------------------
ssl_parameters_regenerate = 0
---%<-------------------------------------------------------------------------
By default Dovecot's allowed ciphers list contains:
---%<-------------------------------------------------------------------------
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
---%<-------------------------------------------------------------------------
Disallowing more won't really gain any security for those using better ciphers,
but it does prevent people from accidentally using insecure ciphers. See
http://www.openssl.org/docs/apps/ciphers.html for a list of the ciphers.
SSL verbosity
-------------
---%<-------------------------------------------------------------------------
verbose_ssl = yes
---%<-------------------------------------------------------------------------
This will make Dovecot log all the problems it sees with SSL connections. Some
errors might be caused by dropped connections, so it could be quite noisy.
Client certificate verification/authentication
----------------------------------------------
If you want to require clients to present a valid SSL certificate, you'll need
these settings:
---%<-------------------------------------------------------------------------
ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes
ssl_require_client_cert = yes
#ssl_username_from_cert = yes
---%<-------------------------------------------------------------------------
The CA file should contain the certificate(s) followed by the matching CRL(s).
Note that the CRLs are required to exist. For a multi-level CA place the
certificates in this order:
1. Issuing CA cert
2. Issuing CA CRL
3. Intermediate CA cert
4. Intermediate CA CRL
5. Root CA cert
6. Root CA CRL
The certificates and the CRLs have to be in PEM format. To convert a DER format
CRL (e.g.http://crl.cacert.org/class3-revoke.crl) into PEM format, use:
---%<-------------------------------------------------------------------------
openssl crl -in class3-revoke.crl -inform DER -outform PEM > class3-revoke.pem
---%<-------------------------------------------------------------------------
With the above settings if a client connects which doesn't present a
certificate signed by one of the CAs in the 'ssl_ca' file, Dovecot won't let
the user log in.
You may also force the username to be taken from the certificate by setting
'ssl_username_from_cert = yes'.
* The text is looked up from subject DN's specified field using OpenSSL's
'X509_NAME_get_text_by_NID()' function.
* By default the 'CommonName' field is used.
* You can change the field with 'ssl_cert_username_field = name' setting
(parsed using OpenSSL's 'OBJ_txt2nid()' function). 'x500UniqueIdentifier' is
a common choice.
You may also want to disable the password checking completely. Doing this
currently circumvents Dovecot's security model so it's not recommended to use
it, but it is possible by making the <passdb> [PasswordDatabase.txt] allow
logins using any password (typically requiring <"nopassword" extra field>
[PasswordDatabase.ExtraFields.txt] to be returned).
(This file was created from the wiki on 2011-01-13 04:52)
