I switched my courier-imap-ssl config over from an expired self-signed certificate to my new real certificate. I didn’t see a thread on configuring Courier, so here’s a start.
The configuration is in /etc/courier-imap/imapd-ssl, at least on my Gentoo system.
The first issue I ran into is that it expects to have both the certificate and the private key in the same file, so I added to the startup script to combine them. (Being Gentoo, this goes in /etc/conf.d/courier-imap-ssl, which gets sourced by the init script.)
cat /etc/letsencrypt/live/crowcastle.com/privkey.pem /etc/letsencrypt/live/crowcastle.com/fullchain.pem > /etc/courier-imap/imapd.pem chmod 600 /etc/courier-imap/imapd.pem
I set the list of encryption ciphers, but I don’t see how to tell it to prefer them in this order:
I temporarily set the port to 443 and ran https://www.ssllabs.com/ssltest to see what issues it found. It says I’m vulnerable to the CRIME attack due to compression, but I’m not sure if that’s an issue on an imap server or not. I don’t see how to adjust the compression options in the config file, and for performance I do want compression.
Any other comments or suggestions would be welcome.