Enable SSL certs on dovecot
Edit the dovecot configuration file, /etc/dovecot.conf, make sure to uncoment the lines:
Then you need to modify the files 'dovecot.pem' to match the hostname of your mail server, to do so, you have to regenerate those files, dovecot provides a shell script to do so '/usr/share/doc/dovecot-1.0/examples/mkcert.sh' and a simple configuration file to load the values to that file '/etc/pki/dovecot/dovecot-openssl.cnf'.
So, first of all, you have to edit the file to suit the values of your own mail server, so make a copy of the file first:
And then edit it with your favorite text editor, once you are done, you can execute the shell script, the only thing that you might want to change is the default duration of the generated cert, 356 days, for something longer, to do so, edit the file '/usr/share/doc/dovecot-1.0/examples/mkcert.sh', specifically the line 36, like this:
But, before, editing the file, as usual, make a copy of it:
And then, execute the script:
The script won't run if you have the built in cert and key, so make a copy of those first, and then delete the originals:
As a side note, upon executing the script '/usr/share/doc/dovecot-1.0/examples/mkcert.sh' I got this error:
The problem was the country code, since I was trying to incorrectly use 'USA', instead of 'US'.
ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
Then you need to modify the files 'dovecot.pem' to match the hostname of your mail server, to do so, you have to regenerate those files, dovecot provides a shell script to do so '/usr/share/doc/dovecot-1.0/examples/mkcert.sh' and a simple configuration file to load the values to that file '/etc/pki/dovecot/dovecot-openssl.cnf'.
So, first of all, you have to edit the file to suit the values of your own mail server, so make a copy of the file first:
cp /etc/pki/dovecot/dovecot-openssl.cnf /etc/pki/dovecot/dovecot-openssl.cnf.ORIG
And then edit it with your favorite text editor, once you are done, you can execute the shell script, the only thing that you might want to change is the default duration of the generated cert, 356 days, for something longer, to do so, edit the file '/usr/share/doc/dovecot-1.0/examples/mkcert.sh', specifically the line 36, like this:
## -----------------------------------------------
## $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
## -----------------------------------------------
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 3650 || exit 2
But, before, editing the file, as usual, make a copy of it:
cp /usr/share/doc/dovecot-1.0/examples/mkcert.sh /usr/share/doc/dovecot-1.0/examples/mkcert.sh.ORIG
And then, execute the script:
sh /usr/share/doc/dovecot-1.0/examples/mkcert.sh
The script won't run if you have the built in cert and key, so make a copy of those first, and then delete the originals:
cd /etc/pki/dovecot/private/
mv dovecot.pem dovecot.pem.ORIGrm -f dovecot.pem<- No need to really
cd /etc/pki/dovecot/certs/
mv dovecot.pem dovecot.pem.ORIGrm -f dovecot.pem<- No need to really
As a side note, upon executing the script '/usr/share/doc/dovecot-1.0/examples/mkcert.sh' I got this error:
[root@webs10]# sh /usr/share/doc/dovecot-1.0/examples/mkcert.sh
Generating a 1024 bit RSA private key
......................++++++
..............++++++
writing new private key to '/etc/pki/dovecot/private/dovecot.pem'
-----
problems making Certificate Request
19201:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2
The problem was the country code, since I was trying to incorrectly use 'USA', instead of 'US'.
posted by hictio at 1:49 AM
3 Comments:
No need for rm -f dovecot.pem as you moved the files.
You are right.
And the '-f' kept it from barfing.
Nice spot. I didn't immediately see the glitch until I read the comment and reread the code again and process.
Post a Comment
<< Home