Enable Secure POP, IMAP, SMTP?

nmb

Verified User
Joined
Sep 13, 2008
Messages
207
I've read that SMTP relies on Exim while POP, IMAP rely on Dovecot. But as I see they are working.. all of them are work in plain text.
My question ... is there anyway to enable secure POP, Secure IMAP, Secure SMTP? Something through SSL port 995 or anything like that?
I've tried to add cram-md5 and login into mechanisms line in dovecot.conf. But then, password authentication is always failed.

Thanks,
________
Alaska Dispensaries
 
Last edited:

elvandar

Verified User
Joined
May 14, 2007
Messages
49
Yes you can:

exim:

tls_certificate = /usr/local/etc/exim/exim.cert
tls_privatekey = /usr/local/etc/exim/exim.key

in exim.conf

and

protocols = imap imaps pop3 pop3s

ssl_cert_file = /usr/local/etc/exim/exim.cert
ssl_key_file = /usr/local/etc/exim/exim.key

in dovecot.conf

We are using pop,pops,imap and imaps with pleasure like this.

Cheers
remko
 

nmb

Verified User
Joined
Sep 13, 2008
Messages
207
Thanks elvandar,

It works great with Secured POP (Port 995), TLS SMTP (Port 587) but I couldn't make it to work with Secured SMTP (Port 465).
For now, using TLS SMTP is good but is there anyway to make Secured SMTP works too?
________
Cat exercise wheel
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Did you turn on port 465 in exim?

Look for this line in exim.conf:
Code:
daemon_smtp_ports = 25 : 587
and change it:
Code:
daemon_smtp_ports = 25 : 587 : 465
and be sure to restart exim.

Question for elvandar: Our latest exim.conf (SpamBlocker Version 3-beta) file uses these lines:
Code:
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
Am I wrong? Is it OS dependent?

Thanks.

Jeff
 

nmb

Verified User
Joined
Sep 13, 2008
Messages
207
Jeff,

I already tried that. Add port, then, unblock firewall for it, then, restart. That didn't work for me. Below is the message I got from Thunderbird :

Code:
Sending of message failed

The message could not be sent because connecting to SMTP server xxx.xxx.xxx  failed. The server maybe unavailable or is refusing SMTP connections. Please verify that your SMTP server setting is correct and try again, or else contact your network administrator.
exim.conf is the one I got from DirectAdmin with a modification to use ClamAV.

About exim.cert and exim.key ... mine is located at the same location as you.

Code:
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
I didn't look at path when I read what elvandar said. But I know both Dovecot and Exim.conf have same files in the same location.

Thanks,
________
IOLITE VS SILVER SURFER
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Unfortunately I can't help further as I have no experience with it. Is it possible your ISP is blocking the port?

Jeff
 

nmb

Verified User
Joined
Sep 13, 2008
Messages
207
I don't think it's ISP problem since I also used that port with GMail. (Secure SMTP) Anyway, for now, TLS is good enough for me. At least, it's not plain text.
I have another paid POP/SMTP mail service that I always ask them to at least has some kind that is better than plain text. They told me they will have it soon. Now it's already 3 years and I'm still using POP, SMTP using plain text :(

Thanks Jeff,
________
Vaporizers
 
Last edited:

jaumesb

Verified User
Joined
Jan 10, 2006
Messages
12
Yes you can:
in exim.conf
...
in dovecot.conf
...
You may need to also take into account a CA certificate. The following worked for me:

Examples using a SSL certificate from a user domain (not the server one).

Dovecot:

ssl_cert_file = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.cert
ssl_key_file = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.key
ssl_ca_file = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.cacert
More details http://wiki.dovecot.org/SSL/DovecotConfiguration

Exim:

* Exim does not have a separate parameter for the CA certificate file, but you can place several certificates in one file:
http://www.exim.org/exim-html-4.30/doc/html/spec_37.html#SECT37.7
So first we create a file containing both cert & CA cert:

cd /usr/local/directadmin/data/users/myuser/domains
cat mydomain.com.cert mydomain.com.cacert > mydomain.com.chaincert
chown diradmin:diradmin mydomain.com.chaincert
* Exim needs to read both files. This is probably a security risk!

chmod 644 mydomain.com.chaincert mydomain.com.key
* Add/change in configuration file:

tls_certificate = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.chaincert
tls_privatekey = /usr/local/directadmin/data/users/myuser/domains/mydomain.com.key
Regards,

Jaume.
 

dingham

Verified User
Joined
Jun 6, 2008
Messages
17
Location
London, England
Hi Guys,
I'm having a bit of an issue finding our IMAP server's config files.
From what I understand, it should either be dovecot or courier? I'm afraid I can find config files for neither.

Here are some details:

6.1-RELEASE FreeBSD 6.1-RELEASE #0: Wed Nov 22 05:58:15 UTC 2006

telnet 127.0.0.1 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS AUTH=LOGIN] localhost IMAP4rev1 2004.357 at Thu, 25 Jun 2009 14:37:09 +0000 (UTC)

The only references I can find, point directly at the imapd binary.

Any ideas?

Cheers
 

tillo

Verified User
Joined
Oct 28, 2007
Messages
862
Location
Switzerland
That is the IMAP server from the University of Washington, called IMAP-UW, which DirectAdmin installs by default if not using Dovecot through CustomBuild.
It doesn't have any runtime config file and is quite limited (read as in "small and fast but limited").

If you need custom IMAP config you may recompile the IMAP-UW binary with your modifications, but I strongly suggest to use Maildir+Dovecot instead. There are many topics in this forum and on the DA's official help site on how to migrate from mbox to Maildir and from IMAP-UW to Dovecot.
 
Last edited:

dingham

Verified User
Joined
Jun 6, 2008
Messages
17
Location
London, England
Bingo!

Code:
# strings /usr/sbin/imapd | grep ssl
libssl.so.4
/ssl
/ssl
/ssl
/ssl
/ssl
/ssl
set try-ssl-first
/etc/ssl/certs
/etc/ssl/private
tryssl
/ssl
So, just add '/etc/ssl/certs/imap.pem' & '/etc/ssl/certs/imapd.pem'.
Sorted.
 

cyberneticos

Verified User
Joined
Aug 21, 2005
Messages
689
Location
Spain
Hello guys,

When using SMTP via 465, and having selected SSL in outlook, I get this error:
0x800CCC1A

If I set it to use TLS it works, or if I use no encryption it works also.

I would like to use encryption. Any suggestions to fix the error so I can use SSL ?
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
When I checked our servers, this is what I found.
/etc/exim.conf
Code:
# SSL/TLS cert and key
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
/etc/dovecot.conf
Code:
#ssl_cert_file = /etc/exim.cert
#ssl_key_file =  /etc/exim.key
ssl_cert_file = /etc/httpd/conf/ssl.crt/server.crt
ssl_key_file = /etc/httpd/conf/ssl.key/server.key
I went into Outlook, clicked the More Settings button, and then selected the advanced tab and checked the SSL boxes and set them to 995 and 587 and it worked. For us, ssl-enabled e-mail was part of the standard DA install. (FreeBSD 7.x servers) The only thing you might want to change is to get a CA cert for the server and point Exim and Dovecot to it so mobile devices that require a CA cert can connect.

While reflecting on this, I concluded that we would be better served by not allowing non-secure access to e-mail. Very often the user names and passwords people use for their e-mail logins are the same ones they use for their business network, thus they are broadcasting to everyone in range their credentials to log into their network as well as their e-mail contents each time they sit down at a Starbucks with their laptops. So perhaps what is needed are "best practices" procedures for installing a CA cert for e-mail and turning off insecure e-mail access. I would think it would be difficult to find an e-mail client these days that cannot do ssl. You can't even set up a pop3 GMail account without it.
 
Last edited:

soulshepard

Verified User
Joined
Feb 7, 2008
Messages
133
Jeff,

I already tried that. Add port, then, unblock firewall for it, then, restart. That didn't work for me. Below is the message I got from Thunderbird :

Code:
Sending of message failed

The message could not be sent because connecting to SMTP server xxx.xxx.xxx  failed. The server maybe unavailable or is refusing SMTP connections. Please verify that your SMTP server setting is correct and try again, or else contact your network administrator.
exim.conf is the one I got from DirectAdmin with a modification to use ClamAV.

About exim.cert and exim.key ... mine is located at the same location as you.

Code:
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
I didn't look at path when I read what elvandar said. But I know both Dovecot and Exim.conf have same files in the same location.

Thanks,
i think you only miss the

* tls_on_connect_ports = 465

in combination with:

* daemon_smtp_ports = 25 : 587 : 465

in the /etc/exim.conf

SoulShepard
 
Top