Configure courier-imap

Server
1

I switched my courier-imap-ssl config over from an expired self-signed certificate to my new real certificate. I didn’t see a thread on configuring Courier, so here’s a start.

The configuration is in /etc/courier-imap/imapd-ssl, at least on my Gentoo system.

The first issue I ran into is that it expects to have both the certificate and the private key in the same file, so I added to the startup script to combine them. (Being Gentoo, this goes in /etc/conf.d/courier-imap-ssl, which gets sourced by the init script.)

cat /etc/letsencrypt/live/crowcastle.com/privkey.pem /etc/letsencrypt/live/crowcastle.com/fullchain.pem > /etc/courier-imap/imapd.pem
chmod 600 /etc/courier-imap/imapd.pem

I set the list of encryption ciphers, but I don’t see how to tell it to prefer them in this order:

TLS_CIPHER_LIST="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA"

I temporarily set the port to 443 and ran https://www.ssllabs.com/ssltest to see what issues it found. It says I’m vulnerable to the CRIME attack due to compression, but I’m not sure if that’s an issue on an imap server or not. I don’t see how to adjust the compression options in the config file, and for performance I do want compression.

Any other comments or suggestions would be welcome.

1 Like
2

I'm looking for switching my imap server cert over to LE, too. Also using courier-imap under Gentoo.

Last year, when I created my imapd.pem certificate from a CAcert provided certificate, I followed the sequence:

cat myprivkey.pem myservercert.pem >imapd.pem

and following a Gentoo related How-To, I continued by appending a Deffie-Hellman value to the final certification file:

openssl gendh 1024 >>imapd.pem

Apparently, you don't do the gendh part.

Was I doing something something unnecessary that won't be necessary with the LE provided certificate, when following your approach?

What advantage (if any) would the DH part provide?

3

Honestly, I don’t know the answer. I was switching from a self-signed certificate, and all I know is that what I did was sufficient to eliminate the security warnings. I would guess that the DH part you are referring to is not needed, but I’m certainly not an expert. If you find the answer, please post it back here for anyone else who runs into this.

4

Google comes up with:

http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml

where we can read that:

The above commands [cat key.pem servercert.pem >couriercert.pem] are sufficient if you are using the default RSA encryption routines however if you are using the less common DSA standard you will need to add a set of Diffie-Hellman parameters to the combined key using the command below. If you do not know which type of cryptography you are using it is safe to run this command on either type of certificate.

That is of course not authoritative information and will have to be read as such, but it sure gives a hint.

From what I understand, LE uses RSA encryption routines and thus should not need the added DH parameters (according to the cited text). Hopefully, someone with deep understanding of the subject may chime in if the DH parms should be applied, but I guess the subject starts to come close to the borders of what's relevant to discuss on the LE Web site.

Apparently, adding the DH parms doesn't do any harm.

5

You can setup a renew hook for a specific certificate in /etc/letsencrypt/renewal/yourdomain.conf

...
# Options used in the renewal process
[renewalparams]
account = ...
renew_hook = /usr/local/bin/combine-pem-files.sh

Then in combine-pem-files.sh you can combine the needed keys into /etc/courier-imap/imapd.pem and restart courier.