# Creating SSL pem for Courier-IMAP



## tay9000 (Jun 14, 2012)

Hello everybody. I consider myself pretty decent with setting up FreeBSD but when it comes to SSL, I really don't get it. If somebody can point me to a good in-depth guide, that would be great. Particularly encompassing FreeBSD and OpenSSL.

Anyway, I am configuring a new mail server and I just need somebody to look at this command I am using to generate a self-signed certfile in .pem format for IMAP. Do I really just need to run this command and then stick the filepath at 
	
	



```
TLS_CERTFILE=
```
 in the imapd-ssl conf file? (I used 9999 because I don't want to have to update the file due to reasons.)

[cmd=]sudo openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 9999[/cmd]

I looked up what all the parameters do in an effort to understand but I don't have any experience with SSL really. I did run Wireshark and the IMAP communication seems to be encrypted but I work under a sysadmin who has never set up PEM mail and insists I must create a .crt, .key, and .csr file even though there is no place to put those in imapd-ssl and everything I read seems to indicate you only need a single .pem file for IMAP SSL. 

Any help is appreciated. Thank you!


> ```
> req: The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.
> -new: Generates a new certificate request.
> -x509: Outputs a self signed certificate instead of a certificate request.
> ...


----------



## DutchDaemon (Jun 14, 2012)

For Dovecot's IMAPS I only have two dovecot.pem files, one in /etc/ssl/certs and one in /etc/ssl/private. The first one is referenced (in Dovecot's configuration) as ssl_cert, the other one as ssl_key.

Dovecot uses this line in its certificate-generating script:


```
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365
```

See also http://wiki2.dovecot.org/SSL/CertificateCreation

Adjust information to your circumstances.


----------



## DutchDaemon (Jun 14, 2012)

In other words: your co-worker is thinking about certificates for a webserver. Same thing, different type of certificate use.


----------



## tay9000 (Jun 14, 2012)

DutchDaemon said:
			
		

> In other words: your co-worker is thinking about certificates for a webserver. Same thing, different type of certificate use.


Yes, he wants me to use the exact same commands to generate the same files we use for Apache but it doesn't apply to IMAP or POP3. =P

As I understand, this command is the equivalent of generating an unencrypted cert key, generating and self-signing a csr, and then combining the resulting cert and key into a .pem file, right?

As long as the client gets the pem from my server, the communication is (theoretically) secure, right? The part I don't understand is what stops somebody else from connecting to my server and getting that pem and using the information inside of it to decrypt another users communications? Or is that totally not how it works? :stud

Thanks, at least I am sure I am on the right track now.


----------



## DutchDaemon (Jun 14, 2012)

You're basically just enabling the SSL layer with this server-side certificate, nothing more than that. I'm pretty sure that certain parameters (like hashes) are added at run-time (the imaps/pop3s negotiation/connection stage) to make the subsequent SSL encryption sufficiently unique for that particular session. In other words, I don't think you can sniff or hijack other users's imaps/pop3s sessions with the certificate's information alone.


----------



## Abriel (Jun 15, 2012)

For Courier-IMAP check files:
/usr/local/share/courier-imap/mkimapdcert
/usr/local/share/courier-imap/mkpop3dcert


----------



## ProServ (Aug 6, 2012)

I have installed mail system using mail toaster by matt. In the setup I installed courier-imap. The problem is we can't get the use of encrypted password using port 993/ssl. Imap server simply says wrong password. This system uses vpopmail and courier authdaemon. If I use openssl s_client -connect mail.servername.tld:993 -ssl3 it connects and displays certificate et. al. which is a great improvement over earlier attempts where it failed on handshaking and no certificate displayed. 

I just don't know what part is not working to allow the use of encrypted passwords.


----------

