Securing cyrus-imapd with SSL/TLS on RHEL7

Updated -

Securing cyrus-imapd (cyrus-imapd-2.4.17-13.el7) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/imapd.conf

shortform

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
tls_prefer_server_ciphers: 1
tls_versions: tls1_0 tls1_1 tls1_2

Protocols

    tls_versions: tls1_0 tls1_1 tls1_2

TLSv1 or better

Protocol - Alternative Values

tls_versions: tls1_1 tls1_2

Disable TLSv1, allow TLSv1.1 or better

tls_versions: sslv3 tls1_0 tls1_1 tls1_2

Allow SSLv3 or better

Ciphers

NOTE currently cyrus-imapd does not support ECDH ciphers due to lack of initialisation code. This is currently being tracked as a bug and may be resolved in a later release.

    tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

provides most secure available ciphers

Ciphers - Alternative Values

tls_cipher_list: kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Include RC4-SHA for older client compatibility.

tls_cipher_list: ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+!MEDIUM:+!LOW

Allow very old ciphers

Certificate Handling

cyrus-imapd uses a key file and certificates file.

Key File

tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key

key should be readable only by user root and group mail

# ls -l /etc/pki/cyrus-imapd/cyrus-imapd.key
-rw-r-----. 1 root mail 3243 Jun  4 14:12 /etc/pki/cyrus-imapd/cyrus-imapd.key

Certificate File

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.

Comments