Securing cyrus-imapd with SSL/TLS on RHEL5

Updated -

Securing cyrus-imapd (cyrus-imapd-2.3.7-16.el5_11) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/imapd.conf

shortform

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
tls_cipher_list: kDH:AES
tls_prefer_server_ciphers: 1
tls_versions: tls1_0

Protocols

    tls_versions: tls1_0

TLSv1

Protocol - Alternative Values

tls_versions: sslv3 tls1_0

Allow SSLv3 or better

Ciphers

    tls_cipher_list: kDH:AES

Provides best ciphers for RHEL5

Ciphers - Alternative Values

tls_cipher_list: kDH:AES:RC4-SHA

Include RC4-SHA for old client compatibility.

Certificate Handling

cyrus-imapd uses a key file and certificates file.

Key File

tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.key

key should be readable only by user root and group mail

# ls -l /etc/pki/cyrus-imapd/cyrus-imapd.key
-rw-r-----. 1 root mail 3243 Jun  4 14:12 /etc/pki/cyrus-imapd/cyrus-imapd.key

Certificate File

tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.

Comments