HOWTO: Setup SSL certificates for mail services (pop3s, imaps, smtps) on Plesk / Courier-Imap / Qmail
This howto will show you how to setup an SSL certificate on a Plesk server so that it will be used when people connect through secure pop, smtp and imap.
To do the following, you need a certificate. It can be self signed or CA signed. Using a self-signed cert will of course result in some browser warnings for those who have not added the certificate as locally trusted on their computer.
You will want a copy of your cert in PEM format. If you don’t have this already, just create a single file with the private key followed by the certificate. That’s it. For example, just run the following (using correct paths to your private key and certificate files):
touch host.pem
chmod 600 host.pem
cat host.key host.crt > host.pem
and you’ll now have a PEM file. It should look like this:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Courier-IMAP (pop3s and imaps)
The first step is to set it up for pop3s and imaps by backing up and replacing the certs at:
/usr/share/courier-imap/pop3d.pem
and
/usr/share/courier-imap/imapd.pem
with your PEM file.
If you have a chained cert, you need to do one more thing. You need to tell courier-imap about it. Backup and edit both of the following files:
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
and set the value TLS_TRUSTCERTS in each file to the path to the certificate chain. For example, drop a copy of the certificate chain into a file at:
/usr/share/courier-imap/chain.crt
and then set the value for TLS_TRUSTCERTS in the pop3d-ssl and imapd-ssl files like so:
TLS_TRUSTCERTS=/usr/share/courier-imap/chain.crt
now restart courier-imap:
service courier-imap restart
Qmail (smtps)
To setup your certificate for use with smtps, copy your PEM file to:
/var/qmail/control/servercert.pem
and if you have a CA certs, append them to that same file (so you should have all of the CA chained certs right after your own certificate in that file).
now restart qmail:
service qmail restart
Test everything
You can test these newly installed certificates to make sure everything is working with the following:
openssl s_client -connect [host]:993
openssl s_client -connect [host]:995
openssl s_client -connect [host]:465
Note that the imaps test (port 465) can take a while to respond when testing like this.
And, of course, you can test these (and should) by trying to use an actual email account to send and receive mail using these protocols.
Hi :
About the pop3s for plesk, i was still not run ok!
do you have detail step can offer?
Thanks!
Neo
Thanks for the walk through that is a great help.
I did not get the pop3s and imaps part to work i get the following error, any suggestions:
CONNECTED(00000003)
write:errno=54
I found this seemed to make a difference:
Change the TLS_VERIFYPEER setting to “PEER”. The setting can also be changed to “REQUIREPEER” to require all SSL/TLS connections to provide a certificate. Otherwise, it is optional. If the mail client provides an SSL certificate, it may be used to authenticate. Without a certificate, password-based authentication remains an option.
http://www.courier-mta.org/imap/INSTALL.html
Hallo Justin
Thank you for your work and this site.
regards,
joshua
Thanks very much for the clear instructions – all went fine on my Plesk 8.3 server. :)
Thanks for the howto. I made getting our Plesk 8.4 system work great.
Plesk comes configured with a limit of 4 connections per IP address and a limit of 40 connections total. Modern IMAP clients such as Mozilla Thunderbird use mailbox caching to open up multiple connections to increase performance. In the case of Thunderbird, it opens up 5 connections by default which is already 1 connection more than Courier-IMAP’s default restriction. Add another few computers behind a firewall and those additional users won’t be able to connect at all since a single Thunderbird client is already utilizing all 4 connections.
http://kb.mediatemple.net/questions/259/(dv)+HOWTO%3A+Raise+Courier-IMAP+Connections
[...] lifted from here [...]