Cyrus

SSL, TLS, OpenSSL

Add certs to cyrus

I'm assuming that you have working SSL certificates for your domain. If not, please use one of the plenty tutorials on the web. For the sake of simplicity I'll assume you have a StartSSL certificate and a key named server.crt and server.key in /etc/ssl/cyrus/.

  • If there are automatically generated, self-signed example certs in the directory, you can remove them now:
$ cd /etc/ssl/cyrus
$ rm *
  • Now we'll download the CA Certificate from StartSSL
$ wget https://www.startssl.com/certs/ca.pem \
    -O /etc/ssl/cyrus/ca.pem
$ wget https://www.startssl.com/certs/sub.class2.server.ca.pem \
    -O /etc/ssl/cyrus/sub.class2.server.ca.pem
  • After that we'll build a certificate chain:
$ cat ca.pem sub.class2.server.ca.pem > ca-chain.pem
  • Cleanup:
$ rm ca.pem sub.class2.server.ca.pem
  • And we'll make sure that cyrus can access everything:
$ cd /etc/ssl/cyrus/
$ chown cyrus:mail *
$ chmod 600 *
  • Now you can add / change the following lines to your imapd.conf.
/etc/imapd.conf
...
tls_server_cert: /etc/ssl/cyrus/server.crt
tls_server_key: /etc/ssl/cyrus/server.key
tls_client_ca_file: /etc/ssl/cyrus/ca-chain.pem
...

Verify

After that you can restart and verify everything:

$ /etc/init.d/cyrus restart
# certificates
$ openssl s_client -showcerts -connect example.org:993
 
# tls port 143
$ openssl s_client -starttls imap -connect example.org:143
 
# ssl port 993 / 995
openssl s_client -connect example.org:993