Dovecot: Unterschied zwischen den Versionen
| Zeile 18: | Zeile 18: | ||
== Anpassen der Konfiguration == | == Anpassen der Konfiguration == | ||
Je nach Distribution sind die Konfigurationsdateien etwas anders Strukturiert. So werden bei Debian 7.x und Dovecot 2.x die Dateien unterhalb von <nowiki>/etc/dovecot/conf.d</nowiki> in verschiedenen Dateien gepflegt. | |||
Die Parameter sind jedoch, egal in welcher Datei Sie schlussendlich zu finden sind, die gleichen. | |||
<source lang=bash> | |||
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> | |||
ssl = yes | |||
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before | |||
# dropping root privileges, so keep the key file unreadable by anyone but | |||
# root. Included doc/mkcert.sh can be used to easily generate self-signed | |||
# certificate, just make sure to update the domains in dovecot-openssl.cnf | |||
ssl_cert = </etc/ssl/certs/www.vsadmin.de.crt | |||
ssl_key = </etc/ssl/private/www.vsadmin.de.key | |||
# If key file is password protected, give the password here. Alternatively | |||
# give it when starting dovecot with -p parameter. Since this file is often | |||
# world-readable, you may want to place this setting instead to a different | |||
# root owned 0600 file by using ssl_key_password = <path. | |||
#ssl_key_password = | |||
# PEM encoded trusted certificate authority. Set this only if you intend to use | |||
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s) | |||
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) | |||
ssl_ca = </etc/ssl/certs/COMODO_DV.crt | |||
# Require that CRL check succeeds for client certificates. | |||
#ssl_require_crl = yes | |||
# Request client to send a certificate. If you also want to require it, set | |||
# auth_ssl_require_client_cert=yes in auth section. | |||
#ssl_verify_client_cert = no | |||
# Which field from certificate to use for username. commonName and | |||
# x500UniqueIdentifier are the usual choices. You'll also need to set | |||
# auth_ssl_username_from_cert=yes. | |||
#ssl_cert_username_field = commonName | |||
# How often to regenerate the SSL parameters file. Generation is quite CPU | |||
# intensive operation. The value is in hours, 0 disables regeneration | |||
# entirely. | |||
#ssl_parameters_regenerate = 168 | |||
# SSL protocols to use | |||
ssl_protocols = !SSLv2 | |||
# SSL ciphers to use | |||
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL | |||
# SSL crypto device to use, for valid values run "openssl engine" | |||
#ssl_crypto_device = | |||
</source> | |||
= Weiterführende Links = | = Weiterführende Links = | ||
Version vom 3. November 2014, 16:33 Uhr
Einrichtung von SSL für den Dovecot IMAP/POP3 Server
Erzeugen des CSR
Für die Anforderung eines SSL Zertifikates ist es notwendig einen CSR (Certificate Signing Request/Zertifikatsanforderung) zu erzeugen.
Die kann per SSH oder über eine direkt Konsole auf dem Server erfolgen:
<source lang=bash> openssl req -new -newkey rsa:2048 -keyout /etc/ssl/private/domain.de.key -out /home/user/csr.txt -nodes </source>
Besitzt man bereits ein Schlüsselpaar kann der CSR auch folgender Maßen erzeugt werden:
<source lang=bash> openssl req -new -key /etc/ssl/private/domain.de.key -out /home/user/csr.txt </source>
Anpassen der Konfiguration
Je nach Distribution sind die Konfigurationsdateien etwas anders Strukturiert. So werden bei Debian 7.x und Dovecot 2.x die Dateien unterhalb von /etc/dovecot/conf.d in verschiedenen Dateien gepflegt.
Die Parameter sind jedoch, egal in welcher Datei Sie schlussendlich zu finden sind, die gleichen.
<source lang=bash>
- SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
- PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
- dropping root privileges, so keep the key file unreadable by anyone but
- root. Included doc/mkcert.sh can be used to easily generate self-signed
- certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/www.vsadmin.de.crt ssl_key = </etc/ssl/private/www.vsadmin.de.key
- If key file is password protected, give the password here. Alternatively
- give it when starting dovecot with -p parameter. Since this file is often
- world-readable, you may want to place this setting instead to a different
- root owned 0600 file by using ssl_key_password = <path.
- ssl_key_password =
- PEM encoded trusted certificate authority. Set this only if you intend to use
- ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
- followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
ssl_ca = </etc/ssl/certs/COMODO_DV.crt
- Require that CRL check succeeds for client certificates.
- ssl_require_crl = yes
- Request client to send a certificate. If you also want to require it, set
- auth_ssl_require_client_cert=yes in auth section.
- ssl_verify_client_cert = no
- Which field from certificate to use for username. commonName and
- x500UniqueIdentifier are the usual choices. You'll also need to set
- auth_ssl_username_from_cert=yes.
- ssl_cert_username_field = commonName
- How often to regenerate the SSL parameters file. Generation is quite CPU
- intensive operation. The value is in hours, 0 disables regeneration
- entirely.
- ssl_parameters_regenerate = 168
- SSL protocols to use
ssl_protocols = !SSLv2
- SSL ciphers to use
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
- SSL crypto device to use, for valid values run "openssl engine"
- ssl_crypto_device =
</source>
