Christopher J. Buckley

This weekend has been devoted to managing e-mail for my recently purchased domain name of cjbuckley.com on the server this website is served up from. I’ve always been a Postfix fan, so i thought this was an excellent opportunity to setup Postfix as well as the Courier Mail Server - this will handle all my mail retrieval hosting.

Guide

The instructions I followed are located here. Remember to setup your MX and A records correctly once your mail-server is operational.

How to generate Trusted, Self-Signed SSL certificates for use with Courier IMAP server

SSL is a complicated business, but one which any good systems administrator should make a concerted effort to learn! Now, my Courier IMAP server always throws up the warning on my local desktop that ‘this certificate is not signed by a trusted certificate authority’, which whilst true, doesn’t make the certificate any less secure. Thawte, Verisign and co. quite literally get paid huge amounts of cash to sign certificates! They suddenly then become ‘trusted’ - quite bizarre.

In our setup we wish to generate our own self-signed certificate, of which we can import a CA generated .crt file into our mail client (Outlook will refuse to work, for instance, until this has been performed).

1. First, let’s make the CA private key:

   openssl genrsa -des3 -out ca.key 2048

   This command creates a 2048 bit RSA key, stored in ca.key.

2. We will need to create a self-signed CA Certificate:
   openssl req -new -x509 -days 1095 -key ca.key -out ca.crt
3. This done, you are now the proud owner of a self-signed CA certificate — it’s now time to generate the certificate(s) for your IMAP server.

   openssl genrsa -out imapd.key 2048

4. Now, let’s generate a Certificate Signing Request (CSR)

   openssl req -new -key imapd.key -out imapd.csr

5. Now we’ve generated our CSR, we will need to sign it with against our Certificate Authority (ca.key). Nearly all the guides published on the internet invoke Apache’s sign.sh shell script to do this, however, not everyone runs Apache - so, here’s the openssl commands you will need.

   openssl x509 -req -days 365 -in imapd.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out signed-imapd.crt [1]

6. This next step involves catenating your original IMAP certificate with your new CA signed IMAP certificate into a format that Courier can parse (PEM).

   cat imapd.key signed-imapd.crt > imapd.pem

7. We’re nearly there..! The final SSL step is to add the Diffie-Hellman code block to our PEM certificates:
   openssl gendh >> imapd.pem
8. Copy imapd.pem to your Courier configuration directory (in Debian this is /etc/courier/) and point your imapd.cnf file to /etc/courier/imapd.pem.

Make the file secure by performing:
chmod 600 imapd.pem


9. You will need to inform Courier of your new certificate.

   As root: /etc/init.d/courier-authdaemon reload

10. The final step is to import ca.crt (from step 2) into your desktop mail client and/or root certificates delegation. This informs your applications that you implicitly trust any certificates that have been signed against this Certificate Authority, allowing broken heap o junks like Outlook to connect to an IMAP server correctly. I will never understand why people use Outlook.. :(

I hope that’s of help to someone..!

[1] Thanks to Kim Blackburn for updating step 5.

UPDATE: Even easier, use these commands to take you directly up to step 6.
openssl req -new -outform PEM -out imapd.crt -newkey rsa:2048 -nodes -keyout imapd.key -keyform PEM -days 365 -x509
…copy over imapd.crt to your Windows installation to allow Outlook to work successfully without SSL warning(s).