Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:kolab:configuration:cyrus [2015/05/27 12:21] (current)
dmorlock Kolab 3.3 Release
Line 1: Line 1:
 +====== Cyrus ======
 +
 +===== SSL, TLS, OpenSSL =====
 +
 +==== Add certs to cyrus ====
 +
 +I'm assuming that you have working SSL certificates for your domain. If not, please use one of the plenty tutorials on the web. For the sake of simplicity I'll assume you have a StartSSL certificate and a key named ''​server.crt''​ and ''​server.key''​ in ''/​etc/​ssl/​cyrus/''​.
 +  * If there are automatically generated, self-signed example certs in the directory, you can remove them now:
 +<code bash>
 +$ cd /​etc/​ssl/​cyrus
 +$ rm *
 +</​code>​
 +  * Now we'll download the CA Certificate from StartSSL
 +<code bash>
 +$ wget https://​www.startssl.com/​certs/​ca.pem \
 +    -O /​etc/​ssl/​cyrus/​ca.pem
 +$ wget https://​www.startssl.com/​certs/​sub.class2.server.ca.pem \
 +    -O /​etc/​ssl/​cyrus/​sub.class2.server.ca.pem
 +</​code>​
 +  * After that we'll build a certificate chain:
 +<code bash>
 +$ cat ca.pem sub.class2.server.ca.pem > ca-chain.pem
 +</​code>​
 +  * Cleanup:
 +<code bash>
 +$ rm ca.pem sub.class2.server.ca.pem
 +</​code>​
 +  * And we'll make sure that cyrus can access everything:
 +<​code>​
 +$ cd /​etc/​ssl/​cyrus/​
 +$ chown cyrus:mail *
 +$ chmod 600 *
 +</​code>​
 +  * Now you can add / change the following lines to your ''​imapd.conf''​.
 +<file bash /​etc/​imapd.conf>​
 +...
 +tls_server_cert:​ /​etc/​ssl/​cyrus/​server.crt
 +tls_server_key:​ /​etc/​ssl/​cyrus/​server.key
 +tls_client_ca_file:​ /​etc/​ssl/​cyrus/​ca-chain.pem
 +...
 +</​file>​
 +
 +==== Verify ====
 +
 +After that you can restart and verify everything:
 +
 +<code bash>
 +$ /​etc/​init.d/​cyrus restart
 +</​code>​
 +
 +<code bash>
 +# certificates
 +$ openssl s_client -showcerts -connect example.org:​993
 +
 +# tls port 143
 +$ openssl s_client -starttls imap -connect example.org:​143
 +
 +# ssl port 993 / 995
 +openssl s_client -connect example.org:​993
 +
 +
 +</​code>​