Securing cyrus-imapd with SSL/TLS on RHEL7

Updated -

Securing cyrus-imapd (cyrus-imapd-2.4.17-13.el7) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/imapd.conf

shortform

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_prefer_server_ciphers: 1
tls_versions: tls1_0 tls1_1 tls1_2

Protocols

    tls_versions: tls1_0 tls1_1 tls1_2

TLSv1 or better

Protocol - Alternative Values

tls_versions: tls1_1 tls1_2

Disable TLSv1, allow TLSv1.1 or better

tls_versions: sslv3 tls1_0 tls1_1 tls1_2

Allow SSLv3 or better

Ciphers

NOTE currently cyrus-imapd does not support ECDH ciphers due to lack of initialisation code. This is currently being tracked as a bug and may be resolved in a later release.

    tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

provides most secure available ciphers

Ciphers - Alternative Values

tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Include RC4-SHA for older client compatibility.

tls_cipher_list: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+!MEDIUM:+!LOW

Allow very old ciphers

Certificate Handling

cyrus-imapd uses a key file and certificates file.

Key File

tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key

key should be readable only by user root and group mail

# ls -l /etc/pki/cyrus-imapd/cyrus-imapd.key
-rw-r-----. 1 root mail 3243 Jun  4 14:12 /etc/pki/cyrus-imapd/cyrus-imapd.key

Certificate File

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.