It's been a while since I did a proper courier installation. The one on CentOS was a botch. I have Debian Jessie in the VM now, phew
Usual stuff #apt-get install postfix courier-imap courier-imap-ssl
The ssl installs an SSL certificate that Thunderbird / Iceweasel doesn't accept because of DH key being too short. And then some other crap. I solved some of it before blogging so I forget what I did to kind of get it working.
# DH_BITS=2048 mkdhparams
Of course, then I got thinking, there are free SSL certificate issuers around, time to see if I can get a proper cert.
So off to https://startssl.com/ and see what to do. Once one has a login - local SSL cert installed in the browser - make sure you extract it (I haven't done that yet so I can't say how).
You will have to validate control of the domain by receiving an email at one of the ones listed as contacts in the WHOIS for the domain (e.g. postmaster@example.com)
Then you can go to the Tool Box and start the process of generating a:
(o) Web Server SSL/TLS Certificate
This takes you to https://startssl.com/Certificates/ApplySSLCert where you can add up to 5 domain names, which should be enough for most private stuff. And a Certificate Request generated with:
# openssl req -newkey rsa:2048 -keyout yourname.key.enc -out yourname.csr
the .key.enc has a keyphrase, you will need to produce a decrypted version
# openssl rsa -in server.key.enc -out server.key
Paste the .csr into the form on the same page and a new SSL cert is generated.
The Certificate List link will give you the wherewithall to download a server.pem file for your certificate. This is not enough to use in courier.
# cat server.key server.pem > /etc/courier/imapd.pem
# /etc/init.d/courier-imap-ssl restart
And that was that, Thunderbird was happy to connect, K9 Mail on my phone needed an "accept certificate" pressing but it accepted it. I guess one can add StartSSL CA certs to these things too.
No comments:
Post a Comment