If you installed openssh (which is highly recommended, rather than using telnet to connect to your Slug), you already have openssl installed. It can’t hurt to check though (openssl is a prerequisite for this guide):

ipkg install openssl

Without going too deeply into SSL or TLS discussion, there are a few things to know. TSL is the successor to SSL, but they’re both very similar, being protocols for secure communication. We’ll be using SSL for pop3 and TLS for smtp.

In addition to encryption, SSL and TLS offer the ability to ensure we are communicating with the server we think we are. This is achieved through trust; when we first enter communication with our server, it will send us its certificate. This certificate is signed by a Certification Authority (CA) attesting that the server is who it says it is. Of course, we have to trust the CA’s word on this, but usually the CA will be someone reputable like Comodo or VeriSign.

But we don’t need to convince the public we are who we say we are, we only need to make sure that we’re connecting to our own email server. So we’ll be acting as our own CA, and signing our own certificate. After all, if you can’t trust yourself, who can you trust?

Versions

This how-to guide was updated in May 2009 for compatibility with the following package versions:

• Postfix 2.3.6-3
• Dovecot v1.2.0.beta1-2

This how-to may also work with previous versions, but may require slight changes with respect to paths – for example, previous versions of Dovecot installed dovecot.conf to /opt/etc/dovecot.conf, but the latest version installs it to /opt/etc/dovecot/dovecot.conf.

Creating the CA key and certificate

First of all, let’s find somewhere to store all our SSL stuff. I chose /opt/etc/ssl. Make the directory if it’s not already there, and cd to it. We need to create a few directories and files that openssl expects.

mkdir certs crl csr newcerts private
touch index.txt
echo 01 > serial

The openssl distribution came with a default configuration file, and we’re going to edit some of the values, so be sure to back it up first:

cp /opt/share/openssl/openssl.cnf /opt/share/openssl/openssl.cnf.orig

Now edit the config file:

vi /opt/share/openssl/openssl.conf

And modify the contents as you see fit. Pay particular attention to the paths; there’s only a few things you need to change:

dir = /opt/etc/ssl
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

Save the file, and you are ready to create your own CA private key and certificate with the following command:

openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out cacert.pem

You’ll be prompted for a little bit of information; you can leave fields empty to accept the [default], or enter a period to leave the field blank. Note that I edited the default values in the config file.

Country Name (2 letter code) [UK]:
State or Province Name (full name) [England]:
Locality Name (eg, city) [London]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Nik Rivers CA
Email Address []:

The important field is Common Name (CN); it is the name of your CA. Once you have entered all the required data, openssl will generate a private key and a certificate. Note that you will be asked for a passphrase; your private key cannot be used by anyone who doesn’t know this passphrase. You can remove the passphrase if you like – I chose to do so because I couldn’t imagine anyone wanting to misuse it, let alone being able to find it in the first place.

mv private/cakey.pem private/cakey.pem.orig
openssl rsa -in private/cakey.pem.orig -out private/cakey.pem
rm private/cakey.pem.orig

Creating the mail server key and certificate

Now simply issue this command to create your mail server certificate signing request:

openssl req -newkey rsa:1024 -keyout private/mailserver.key -keyform PEM -out csr/mailserver.csr

You’ll be asked a few familiar questions; this time, answer the questions bearing in mind this is the certificate for your mail server. Of particular importance is the CN field, which should ideally be the fully-qualified hostname of your mail server, such as mail.yourdomain.com. The challenge password and optional company name can be left blank. Now we must remove the passphrase from the mail server key – since otherwise Dovecot requires the passphrase to be provided in the config file (in plain text) and Postfix just plain won’t work.

mv private/mailserver.key private/mailserver.key.orig
openssl rsa -in private/mailserver.key.orig -out private/mailserver.key
rm private/mailserver.key.orig

Finally, sign your request with:

openssl ca -in csr/mailserver.csr

You will be asked if you want to sign the certificate, and whether you want to commit. Double-check the data, answer yes to both questions, and openssl will dump a load of info in front of you. You can now view your mail server’s signed certificate with the command:

more newcerts/01.pem

You can copy and rename the 01.pem and cacert.pem files to something more meaningful if you like, and if you will be using Windows clients to access the email server I recommend changing the file extension from pem to crt, so that Windows understands the file format:

cp newcerts/01.pem certs/mailserver.pem
cp newcerts/01.pem certs/mailserver.crt
cp cacert.pem certs/
cp cacert.pem certs/ca.crt

I then removed the certificate signing request.

rm csr/mailserver.csr

Configuring Postfix

vi /opt/etc/postfix/main.cf

Add this at the bottom of the file:

# TLS
smtpd_tls_cert_file = /opt/etc/ssl/certs/mailserver.crt
smtpd_tls_key_file = /opt/etc/ssl/private/mailserver.key
smtpd_tls_security_level = may

Setting the smtpd_tls_security_level parameter to may allows clients to connect with or without TLS; we could set this to encrypt, which forces the use of TLS, but my testing shows that it prevents other MTAs from being able to relay mail to the Slug.

Restart Postfix:

/opt/etc/init.d/S69postfix restart

Configuring Dovecot

vi /opt/etc/dovecot/dovecot.conf

Change or add (as appropriate) the following:

protocols = pop3s
ssl_disable = no
ssl_cert_file = /opt/etc/ssl/certs/mailserver.crt
ssl_key_file = /opt/etc/ssl/private/mailserver.key

Restart Dovecot:

/opt/etc/init.d/S90dovecot restart

Done.

Using the certificates

You have a couple of options. Your email client will probably ask you if you should trust the server’s certificate now and always, and agreeing to this is good enough.

Or you could install your CA certificate on your computer, which would cause all certificates that you, as a CA, sign – including your mail server’s certificate.

In Windows Vista, this is simply a case of right-clicking on the cakey.crt file, and selecting Install Certificate. The Certificate Import Wizard then guides you through the process – but when it asks you which certificate store to use, select the Trusted Root Certification Authorities store. Now when you open your mailserver.crt file Windows will show the certificate as being trusted implicitly since it was issued by you.

Configuring your mail client

All you need to do is tell your mail client to use TLS when connecting to the smtp server, and to use SSL over port 995 (pop3s) when connecting to the pop3 server.

For example, in Office Outlook 2007, when editing your mail account, click More Settings… and go to the Advanced tab. Under Incoming server (POP3) tick This server requires an encrypted connection (SSL). This will automatically change the pop3 port to 995. Under Outgoing server (SMTP) change Use the following type of encrypted connection to TLS. The Auto setting will also work, but why make Outlook guess when you can tell it the answer?

If this information was useful, please leave a comment to let me know!