1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
This documentation is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Street #330, Boston, MA 02111-1307, USA.
=========================================================================
Quick guide to SSL certificates with Binc IMAP.
Table of contents:
0. Introduction
1. To generate a private key and certificate request
2. To generate a private key and self-signed certificate
3. To generate a private key and CA signed certificate, acting as
one's own CA.
For more information, check out the project home page's FAQ and
the Life With Binc IMAP community documentation site:
http://www.lifewithbincimap.org/
=========================================================================
0. Introduction
---------------
The are two ways to enable SSL on Binc IMAP. One is to use an SSL
tunnel (http://www.stunnel.org/), the other is to use Binc IMAP's
native SSL support. If you compiled Binc with SSL support, the latter
is much easier to set up.
To use SSL with Binc IMAP, you need a private key and a certificate.
A private key is a random string of bits that is secret to your host.
If this key is compromised, your SSL server will no longer provide
significant security for your users.
The certificate is among the first things the server sends to a
client. The client uses this certificate to make certain that it is
communicating with the correct host. To do this, it needs to check the
certificate with a trusted third party certificate, known as a CA
certificate.
There are in general two types of certificates:
- CA signed certificates
- Self signed certificates
CAs, or Certificate Authorities, are used by clients to verify the
authenticity of a certificate. If you want an official CA to verify
your certificate, you need to send a "certificate request". Usually
for a certain price, a signed certificate is returned to you. If you
do not wish to use an official CA, you can act as your own CA and
create your own CA signed certificates.
A certificate is not valid unless it is signed. If it is self signed,
the clients can not verify its identity. In that sense, a self signed
certificate is only useful in a test environment. The client can not
identify the server if the server uses a self-signed certificate.
The general idea is:
* If you are testing an SSL enabled server, generate a self-signed
test certificate.
* If you want to provide an SSL enabled service on a closed network,
create a CA certificate and a signed host certificate, then install
the CA certificate on all clients on the network.
* If you want to provide an SSL enabled service on an open network
such as the Internet, use an official CA to sign your certificate.
1. To generate a private key and certificate request
----------------------------------------------------
Quick hit: "make cert".
To generate a private key and a certificate request, the following
openssl command can be used:
openssl req -newkey rsa:1024 -keyout bincimap.key -nodes -days 365 -out bincimap.crq
Inside bincimap.crq is a certificate request in PEM encoding, which
basically means the certificate is base64 encoded and enclosed in a
start string that says "BEGIN CERTIFICATE REQUEST" and an end string
that says "END CERTIFICATE REQUEST".
Submit this request file to a CA such as Thawte (http://www.thawte.com/) or
Verisign (http://www.verisign.com/). When you receive the signed certificate
from them, store this in a file called bincimap.cert.
The file contains the PEM encoded certificate, and it is enclosed in
a start string that says "BEGIN CERTIFICATE" and an end string that
says "END CERTIFICATE".
Then edit bincimap-config and set the full filename and path to your
certificate file and your private key file.
You're now ready to use Binc IMAP with SSL.
2. To generate a private key and self-signed certificate
--------------------------------------------------------
Quick hit: "make testcert".
To generate a private key and a self-signed certificate, the following
openssl command can be used:
openssl req -newkey rsa:1024 -keyout bincimap.key -x509 -nodes -days 365 -out bincimap.cert
Then edit bincimap-config and set the full filename and path to your
certificate file and your private key file.
You're now ready to test Binc IMAP with SSL.
3. To generate a private key and CA signed certificate, acting as
one's own CA.
------------------------------------------------------------------
Look up the guides on LifeWithBincIMAP.org:
http://lifewithbincimap.org/index.php/Main/DoItYourselfCertificateAuthority
http://lifewithbincimap.org/index.php/Main/SettingUpYourOwnSSLCertificationAuthority
You're now ready to use Binc IMAP with SSL.
Happy IMAPing!
Andy :-)
=========================================================================
Tell us what you think about this server! Post any problems, remarks
or comments to:
The Binc IMAP mailing list <lists-bincimap@infeline.org>
Author: Andreas Aardal Hanssen <andreas-binc at bincimap.org>
|