* Jacob Friis Larsen <[EMAIL PROTECTED]> [040811 23:23]: > Could someone explain what this does? > I found it at > http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/cyrus-config.html > > Does it create a self signed certificate?
yupp > Is there an easier way on Debian? Probably not. Complicated as it may look it is as easy as it can get. > > >*Creating the TLS/SSL Certificate* > > > >If you want to enable Cyrus' TLS/SSL facilities, you have to create a > >certificate first. This requires an OpenSSL installation > > > >openssl req -new -nodes -out req.pem -keyout key.pem This creates your private key. > >openssl rsa -in key.pem -out new.key.pem > >openssl x509 -in req.pem -out ca-cert -req \ > >-signkey new.key.pem -days 999 This is where you as private CA sign the private key and make it a public certificate (new.key.pem) > >mkdir /var/imap you create a separate dir for your certs and the key. > >cp new.key.pem /var/imap/server.pem > >rm new.key.pem You copy the server cert to it's destination. > >cat ca-cert >> /var/imap/server.pem You add your ca-cert to the servers certificate and get a kind of certificate root store. It holds your server certificate and the CA cert to proof its validity. The IMAP server must be able to hand both over to the mail client, when it starts TLS. > >chown cyrus:mail /var/imap/server.pem > >chmod 600 /var/imap/server.pem # Your key should be protected Those two commands are there to protect your certs. Nobody but your server should be able to read them. > >echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf > >echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf > >echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf This adds the relevant configuration parameters and values to /etc/imapd.conf. The next step I guess would be to restart the server to make it notice the changes. There's a script that comes with OpenSSL that's calles CA, CA.sh or CA.pl. They all do the same - assist you in creating a CA, keys and certificates. However the default setting, somehow hardwired into the script code IIRC, requires you to provide a password when you create your servers private key. You must not do that, otherwise you will always have to enter the password anytime your server needs to be restarted - a nice little way to create your own DOS ;) HTH, [EMAIL PROTECTED] --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
