Add SSL support for ssmtp, imaps, pop3s, https, ftp

OS: Gentoo Linux

Services: WEB(lighttpd), SMTP(postfix), IMAP/POP3(courier-imap), ftp (Proftpd)

1. To generate your own certification file, referenced given by Apache2/SSL Certificates, the steps are similar.

And I am using verification by (because it is free, although limited browser acceptance it). For example, using the command to generate a csr file:

$ openssl req -nodes -new -keyout private.key -out server.csr

and then submit it to CA to get the crt file for your request.

Note: After certification, there will be some files, such as root.crt from cacert, a crt file for your server from cacert. And then merge the key file and the crt file to a pem file by:

$ cat {server crt file} {server key file} > {server pem file}

Till now, we finished the preparation.

2. For lighttpd (https): reference from Howto: Linux Lighttpd SSL (Secure Server Layer) Https Configuration And Installation, the Step #4.

All we need just to add a section for ssl port (443) and setup the cert files. For example:

$SERVER["socket"] == "[::]:443" {
 ssl.engine    = "enable"
 ssl.pemfile   = "{location for server pem file}"   = "{location for cacert crt file}"

3. For Postfix (smtps): reference from Virtual Mailhosting System with Postfix Guide on the Code Listing 6-1. What we need is to setup as for example:

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = {location for server key file}
smtpd_tls_cert_file = {location for server crt file}
smtpd_tls_CAfile = {location for cacert crt file}

4. For courier-imap (imaps, pop3s): referenced given by Courier IMAP SSL Server Certificate Installtion and Configuration.

At imapd-ssl and pop3d-ssl configuration file, we need to modify the two strings:

TLS_CERTFILE={location for server pem file}
TLS_TRUSTCERTS={location for cacert crt file}

5. Proftpd (secure ftp): referenced from FTP and SSL/TLS.
To add the settings in configuration file:

TLSEngine on
TLSRSACertificateFile {location for server crt file}
TLSRSACertificateKeyFile {location for server key file}

6. Finally, almost all services are support the SSL protocol. You can verify the settings via openssl’s tool:

$ openssl s_client -connect {server ip}:{server port}

For example: 465 (ssmtp), 993 (imaps), 995 (pop3s). Enjoy it.

Leave a Reply

Your email address will not be published. Required fields are marked *