Add certs to cyrus

I'm assuming that you have working SSL certificates for your domain. If not, please use one of the plenty tutorials on the web. For the sake of simplicity I'll assume you have a StartSSL certificate and a key named server.crt and server.key in /etc/ssl/cyrus/.

  • If there are automatically generated, self-signed example certs in the directory, you can remove them now:
$ cd /etc/ssl/cyrus
$ rm *
  • Now we'll download the CA Certificate from StartSSL
$ wget \
    -O /etc/ssl/cyrus/ca.pem
$ wget \
    -O /etc/ssl/cyrus/
  • After that we'll build a certificate chain:
$ cat ca.pem > ca-chain.pem
  • Cleanup:
$ rm ca.pem
  • And we'll make sure that cyrus can access everything:
$ cd /etc/ssl/cyrus/
$ chown cyrus:mail *
$ chmod 600 *
  • Now you can add / change the following lines to your imapd.conf.
tls_server_cert: /etc/ssl/cyrus/server.crt
tls_server_key: /etc/ssl/cyrus/server.key
tls_client_ca_file: /etc/ssl/cyrus/ca-chain.pem


After that you can restart and verify everything:

$ /etc/init.d/cyrus restart
# certificates
$ openssl s_client -showcerts -connect
# tls port 143
$ openssl s_client -starttls imap -connect
# ssl port 993 / 995
openssl s_client -connect