Q In our office we have an internal Dovecot-based email server. We would like to offer our employees encrypted access to it, as some of them want to connect from home, but we are worried about the security implications of allowing this. Please could you tell us how we can let them connect securely, using secure email protocols?
A Securing these basic services is not hard, even though the mathematical concepts of cryptography can be very difficult to grasp. All we need to do is create an SSL certificate and make sure that the email server uses the certificates that we have created. You could also buy a certificate, but if it is just for internal usage, the expense may not be justified. If it were for publicly accessible services I would say you would need a certificate from a vendor that is recognised by most popular email clients, or a warning will display each time. In order to create the certificate we will be using the OpenSSL (http://openssl.org) program, which idistributions.
As the openssl command can be extremely obscure, there is a simple interactive interface which can be used to generate most certificates that you will need. We could use a script that comes with Dovecot mkcert.sh, but if we use OpenSSL files we can make other types of keys and certificates. As root, change to the /etc/pki/tls/certs (/usr/share/ssl/certs for SUSE; /etc/ssl for Mandriva) directory. You can type make at the command prompt to get a reminder of what certificates you can create. Normally we create a key first and then create the certificate from the key; however, if we just specify make dovecot.pem it will create a key and certificate in the same file for use with Dovecot. All you need to do is fill in the information when prompted; the defaults are listed in square brackets.
The most important field that you need to fill in is the Common Name, for which you should give the domain name of your server. All the others should be filled in as appropriate. Now we just have to copy the file we have created to the required location specified in the Dovecot configuration file (/etc/dovecot.conf) with the two parameters ssl_cert_file and ssl_key_file, being the certificate and key file respectively. So we just copy the joint key and certificate file to the location specified /etc/pki/dovecot/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem removing the automatically generated localhost files that had been created. We have now generated a unique certificate and have a secure Dovecotmail server.