Record of some of the computer tech I deal with so that it's documented at least somewhere.

Thursday 21 July 2016

Another server - more courier fun

It's been a while since I did a proper courier installation. The one on CentOS was a botch. I have Debian Jessie in the VM now, phew

Usual stuff #apt-get install postfix courier-imap courier-imap-ssl

The ssl installs an SSL certificate that Thunderbird / Iceweasel doesn't accept because of DH key being too short. And then some other crap. I solved some of it before blogging so I forget what I did to kind of get it working.

# DH_BITS=2048 mkdhparams

Of course, then I got thinking, there are free SSL certificate issuers around, time to see if I can get a proper cert.

So off to https://startssl.com/ and see what to do. Once one has a login - local SSL cert installed in the browser - make sure you extract it (I haven't done that yet so I can't say how).

You will have to validate control of the domain by receiving an email at one of the ones listed as contacts in the WHOIS for the domain (e.g. postmaster@example.com)

Then you can go to the Tool Box and start the process of generating a:

(o) Web Server SSL/TLS Certificate

This takes you to https://startssl.com/Certificates/ApplySSLCert where you can add up to 5 domain names, which should be enough for most private stuff. And a Certificate Request generated with:

# openssl req -newkey rsa:2048 -keyout yourname.key.enc -out yourname.csr

the .key.enc has a keyphrase, you will need to produce a decrypted version

# openssl rsa -in server.key.enc -out server.key

Paste the .csr into the form on the same page and a new SSL cert is generated.

The Certificate List link will give you the wherewithall to download a server.pem file for your certificate. This is not enough to use in courier.

# cat server.key server.pem > /etc/courier/imapd.pem
# /etc/init.d/courier-imap-ssl restart

And that was that, Thunderbird was happy to connect, K9 Mail on my phone needed an "accept certificate" pressing but it accepted it. I guess one can add StartSSL CA certs to these things too.

No comments: