Full Mail Server Solution w/ Virtual Domains & Users - Page 13 (Secure Client + Server Certificates)

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.

Submitted by Vecter (Contact Author) (Forums) on Wed, 2007-10-17 20:43. ::

C. CA Signed client and server certificates

If you want to use CA-signed client certificates, you will need to take further steps, both in Postfix and in Dovecot to make this work. If you want the user names to be taken from the certificate itself, you currently must set the common name to the user name, for example user@example.com, which has been used in this document.

1. Telling Postfix about the Certificates

In Postfix, you can either use a directory of CA certificates, or a composite file with all the certificates concatenated together. We're going to use the concatinated form, since that is what Dovecot is expecting.

# postconf -e 'smtpd_tls_CAfile = /etc/ssl/example.com/ca/all.pem'

2. Telling Dovecot about the Certificates

In Dovecot, you must have the CRL together with the certificate for the authentication to work. The directives themselves are the following.

/etc/dovecot/dovecot.conf

[...]
ssl_ca_file = /etc/ssl/example.com/ca/all.pem
ssl_verify_client_cert = yes
ssl_require_client_cert = yes
ssl_username_from_cert = yes
[...]

NOTE: You will also need to change the password_query to the commented one in /etc/dovecot/dovecot-sql.conf

Warning: If you are running Dovecot release candidate 28 or older, the server will not send out the list of accepted CA names, which could make clients with multiple client certificates unable to connect. Please upgrade or install this patch.

3. Concatinating files

If you have several CAs and CRLs, it could be difficult to concatenate them each time, so a small script was created which will do that for you. Just stick it in your /etc/ssl/example.com/ca/ directory and run it. It will create an all.pem with all certificates and all CRLs.

make.sh:

#!/bin/bash
rm all.pem 2> /dev/null
cat *.pem *.crl > all.pem

4. Postfix TLS settings

Like I said before, there are some settings in Postfix that need to be changed as well, so let's modify main.cf:

# postconf -e 'smtpd_tls_ask_ccert = yes'
# postconf -e 'smtpd_tls_req_ccert = no'
# postconf -e 'smtpd_recipient_restrictions = permit_tls_all_clientcerts, reject'

Now you should have an enterprise ready email server with client certificates.

Full Mail Server Solution w/ Virtual Domains & Users - Page 12 (Secure Dovecot+IMAPS)

Full Mail Server Solution w/ Virtual Domains & Users - Page 14 (Final Notes)

add comment |

view as pdf |

print: this | all page(s) |

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.

Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com

Red Hat Virtual Experience - a free virtual event. Dec. 9th

Virtualization Poll

Options For This Howto

Navigation

User login

Who's online

HowtoForge Forums

News

Recent comments

Newsletter

Syndicate