Securing cyrus-imapd with SSL/TLS on RHEL7
Updated -
Securing cyrus-imapd (cyrus-imapd-2.4.17-13.el7) that uses openssl
This article is part of the Securing Applications Collection
Configuration File
/etc/imapd.conf
shortform
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_prefer_server_ciphers: 1
tls_versions: tls1_0 tls1_1 tls1_2
Protocols
tls_versions: tls1_0 tls1_1 tls1_2
TLSv1 or better
Protocol - Alternative Values
tls_versions: tls1_1 tls1_2
Disable TLSv1, allow TLSv1.1 or better
tls_versions: sslv3 tls1_0 tls1_1 tls1_2
Allow SSLv3 or better
Ciphers
NOTE currently cyrus-imapd does not support ECDH ciphers due to lack of initialisation code. This is currently being tracked as a bug and may be resolved in a later release.
tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
provides most secure available ciphers
Ciphers - Alternative Values
tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Include RC4-SHA for older client compatibility.
tls_cipher_list: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+!MEDIUM:+!LOW
Allow very old ciphers
Certificate Handling
cyrus-imapd uses a key file and certificates file.
Key File
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
key should be readable only by user root and group mail
# ls -l /etc/pki/cyrus-imapd/cyrus-imapd.key -rw-r-----. 1 root mail 3243 Jun 4 14:12 /etc/pki/cyrus-imapd/cyrus-imapd.key
Certificate File
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
Should contain the server certificate followed by any intermediate certificates and then the root certificate.
Comments