Ssl – How to setup a SSL mail server

emailencryptionimapssl

For a beginner, can anyone recommend a good method of setting up a encrypted IMAP server (on port 993) or at least TLS POP3 email ? There are plenty of examples of opportunistic client side email encryption with PGP or FireGPG or Enigmail, but that is not the answer I am looking for because swapping keys is complicated for some users (and it needs to be useable by everyone, not just some)

I would basically like to know how to setup a company of 50 people with encrypted email , using a self-signed company cert, so that they can connect with Thunderbird without any additional configuration necessary.

Or, something a little like the experience you get when connecting to Gmail TLS email using Thunderbird.

A simple pointing in the right direction may get rewarded as an answer.

Best Answer

I'd do this with Dovecot, although you didn't mention your preferred OS. The configuration is relatively straightforward.

(hint: /etc/dovecot/dovecot.conf, configure protocols, ssl_cert_file, and ssl_key_file).

A couple of caveats that you may already be aware of:

Don't use a self signed cert. Make your own CA and distribute that around, or find a cheapo SSL cert from Comodo or GoDaddy or someone.
This isn't a full-fledged solution like GPG is. pops and imaps only secure the email in transit from your email server to the client. The email will remain in clear text pretty much everywhere else -- while in rest on the server or client, on other people's networks, and printed out. That's not to say this isn't worthwhile, but don't pretend it's all you need to do.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

How to Force or Redirect to SSL in Nginx

According to nginx pitfalls, it's slightly better to omit the unnecessary capture, using $request_uri instead. In that case, append a question mark to prevent nginx from doubling any query args.

server {
    listen      80;
    server_name signup.mysite.com;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

How to Force or Redirect to SSL in Nginx

Related Topic