You can use SSL certificates to allow your users to access Atmail via SSL. This document will show you how to convert SSL certificates in a format that can be used by Apache, Exim and Dovecot.

1.) Upon getting your SSL certificates, you will receive them in two files: .crt and .key. For the purposes of this document, we will put them in the directory: /usr/local/atmail/ssl/ as two files domain.key and domain.crt.

2.) You will need to convert the crt file to .PEM. This command will do it:

% openssl x509 -inform der -in /usr/local/atmail/ssl/domain.crt -out /usr/local/atmail/ssl/domain.pem

3.) Afterwards, you will need a password-less key file:

% openssl rsa -in /usr/local/atmail/ssl/domain.key -out /usr/local/atmail/ssl/domain-nopass.key

4.) Define the pathnames of the key and cert files in WebAdmin > Services > POP3/IMAP.

5.) The SSL Certificate Path corresponds to your .pem file. For this example, the setting will be "/usr/local/atmail/ssl/domain.pem".

6.) The SSL key file corresponds to your passphrase-less key file. For this example, the setting will be "/usr/local/atmail/ssl/domain-nopass.key".

7.) Save changes.

8.) Should you want to verify this manually, open up /usr/local/atmail/mailserver/etc/dovecot.conf, and look for this line block:

ssl = yes
protocols = pop3 imap pop3s imaps
ssl_cert_file = /usr/local/atmail/ssl/domain.pem
ssl_key_file = /usr/local/atmail/ssl/domain-nopass.key

9.) And here is the corresponding entry for /usr/local/atmail/mailserver/configure:

tls_advertise_hosts = *
log_selector = +tls_peerdn
tls_certificate=/usr/local/atmail/ssl/domain.pem
tls_privatekey=/usr/local/atmail/ssl/domain-nopass.key

10.) Restart Atmail services.

The encryption key requires random input from the server to
generate a secure key.

Under linux/windows, the machine requires activitiy to generate
the key ( e.g gnupg uses the hdd/cpu/io states to generate
unique numbers for the key)

Under freebsd, you can use the following command to add randomness
from the IRQ's of the machine.

/usr/sbin/rndcontrol -s 14 -s 8 -s 0

Use 'vmstat -i' to list which IRQ's are active on your server.

Question

How do I enable SSL for the @Mail IMAP-server? I.e. I want IMAP-clients to be able to connect using SSL over port 993 instead of unencrypted over port 143.

I found the mkimapdcert-script to generate a .PEM file for Courier-IMAP.. but I assume I need to do more

Answer:

If CourierIMAP is compiled/detected openssl support this should be available.

Visit the Webadmin -> Services -> SSL POP3/IMAP. Enable SSL, click save.

Then run:

[root@au webmail]# /etc/init.d/atmailserver restart
Stopping @Mail server: av-module smtp log-daemon imap imap-ssl pop3 pop3-ssl
Starting @Mail server: av-module imap imap-ssl pop3 pop3-ssl smtp spamassassin logdaemon

This will auto-generate the new SSL cert-files for your installation.

To test if SSL support is working you can use the following command:

# openssl s_client -connect localhost:imaps

This will show the raw SSL communication and you can access the IMAP server

Question: I have an SSL certificate signed by Verisign for my SSL Webserver. I would like to use the same certificate for my POP3/IMAP server using @Mail via SSL.

How can I used the certificate files generated from my SSL provider? This is required so users will not receive a security popup message when connecting via SSL, since the connection will be trusted automatically.

Answer: Obtain the certficiate.key and certificate.crt files that are generated by your SSL provider, these can be used to create the .pem format the POP3/IMAP server require when running via SSL.

(more...)

Question:

I want to migrate from a clear text passwords of existed users to an encrypted passwords. Is this possible ? (more...)

cat /etc/httpd/ssl/[your-private-key] /etc/httpd/ssl/[your-issued-crt] > imapd.pem
cat /etc/httpd/ssl/[your-private-key] /etc/httpd/ssl/[your-issued-crt] > pop3d.pemcopy .pem files to /usr/local/atmail/mailserver/share

enable "Enable SSL support" [x]

(Enable SSL POP3/IMAP Support on startup)

Enter:

POP3 SSL Certificate:  [ /usr/local/atmail/mailserver/share/pop3d.pem ]
IMAP SSL Certificate:  [ /usr/local/atmail/mailserver/share/imapd.pem ]

restart atmailserver:

# service atmailserver restart

test with mail client & enjoy

Alex

PS: IF required, remember to open tcp ports: 995 (pop3s) and 993 (imaps) in your firewall .-)

Question: I have an SSL certificate signed by Verisign for my SSL Webserver. I would like to use the same certificate for my POP3/IMAP server using @Mail via SSL.

How can I used the certificate files generated from my SSL provider? This is required so users will not receive a security popup message when connecting via SSL, since the connection will be trusted automatically.

Answer: Obtain the certficiate.key and certificate.crt files that are generated by your SSL provider, these can be used to create the .pem format the POP3/IMAP server require when running via SSL.

The .pem format for certificates are simply a combination of the public and private keys of the certificate, which are required by the mail-server of @Mail.

To generate:

# cat certificate.key certificate.crt > /usr/local/atmail/mailserver/share/imapd.pem

# cat certificate.key certificate.crt > /usr/local/atmail/mailserver/share/pop3d.pem

Next, restart the @Mail services:

# /etc/init.d/atmailserver restart

Users can now connect via SSL POP3/IMAP with your SSL certificate from your provider ( e.g Verisign, Thawte, Comodo SSL, etc )

Next, to use the same certificate when users connect via SMTP, follow the TLS install guide at: http://kb.atmail.com/view_article.php?num=345

Then define in the /usr/local/atmail/mailserver/configure

tls_certificate=/usr/local/atmail/mailserver/server.crt
tls_privatekey=/usr/local/atmail/mailserver/server.key

Point these paths to your certificate files on disk.

To avoid any security warnings the domain-name users connect via SSL POP3/IMAP must match the domain the certificate has been approved for.