Securing cyrus-imapd with SSL/TLS on RHEL5

Updated -

Securing cyrus-imapd (cyrus-imapd-2.3.7-16.el5_11) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/imapd.conf

shortform

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: kDH:AES
tls_prefer_server_ciphers: 1
tls_versions: tls1_0

Protocols

    tls_versions: tls1_0

TLSv1

Protocol - Alternative Values

tls_versions: sslv3 tls1_0

Allow SSLv3 or better

Ciphers

    tls_cipher_list: kDH:AES

Provides best ciphers for RHEL5

Ciphers - Alternative Values

tls_cipher_list: kDH:AES:RC4-SHA

Include RC4-SHA for old client compatibility.

Certificate Handling

cyrus-imapd uses a key file and certificates file.

Key File

tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key

key should be readable only by user root and group mail

# ls -l /etc/pki/cyrus-imapd/cyrus-imapd.key
-rw-r-----. 1 root mail 3243 Jun  4 14:12 /etc/pki/cyrus-imapd/cyrus-imapd.key

Certificate File

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.