Last Updated: Saturday, 15 February 2014 20:10
The purpoase of this article is to document the steps taken to enable the Dovecot IMAP server with SSL. For the purposes of this article, we will act as a CA or Certificate Authority. We will self-sign the SSL private and public keys for this task. It is assumed that both Dovecot and SSL are installed on the system in question.
First, create a CA subdirectory in /etc. This will be where we will copy the self-signed sertificate files. Dovecot needs PEM-encoded keys for this. To create the keys issue the following command from the /etc/CA directory:
openssl req -x509 -nodes -days 3650 \
-subj '/C=US/ST=NC/L=Denver/O=Acme Corporation/CN=somehost.acme.com' \
-newkey rsa:1024 -keyout key.pem -out cert.pem
Two files are generated, one is the public key and the other is the private key. cert.pem is the public certificate that will later be shared and installed in various email clients. The key.pem is the private key and should be protected. In fact, both files should be protected. Dovecot is started by the root user and these files will be read while the user root still is involved in starting dovecot. To protect my files, I issued the following command:
[#/etc] chmod -R 600 CA
This command set the permissions to readonly for the user root on the entire /etc/CA directory and its contents.
Next, I made a copy of cert.pem and copied this file to my laptop that was running a copy of Outlook. You could also do the same thing for Outlook Express and other IMAP-based email clients. I will provide the steps for installing the public key or certificate into Windows to work with Outlook. To install the public key into the root certificate store, I renamed the file from cert.pem to deovecot.crt. Then you can double-click on the file in Explorer or you can "execute" the file from a DOS box. Follow the prompts and ignore the alerts, but make sure that you install them into the Root Certificate Store.
Ensure that the following is set in the /etc/dovcot.conf:
ssl_disable = no
ssl_cert_file = /etc/CA/cert.pem
ssl_key_file = /etc/CA/key.pem
Restart the dovecot server by issuing the /etc/init.d/dovecot restart
Once the server has restarted, check to make sure that no errors occured. Then close and re-open Outlook. You should no longer receive those anoying pop-up security notifications about certificates.