Wish I could take credit for this, but this Howto came from Justin Samuel’s Blog. I’ve posted my comments in another color.

This howto will show you how to setup an SSL certificate on a Plesk server so that it will be used when people connect through secure pop, smtp and imap.

To do the following, you need a certificate. It can be self signed or CA signed. Using a self-signed cert will of course result in some browser warnings for those who have not added the certificate as locally trusted on their computer. [You can read how to create a self signed cert here.]

You will want a copy of your cert in PEM format. If you don’t have this already, just create a single file with the private key followed by the certificate. That’s it. For example, just run the following (using correct paths to your private key and certificate files):

# cat server.key server.crt > server.pem
# chmod 600 server.pem

and you’ll now have a PEM file. It should look like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Courier-IMAP (pop3s and imaps)

The first step is to set it up for pop3s and imaps by backing up and replacing the certs at:

/usr/share/courier-imap/pop3d.pem
and
/usr/share/courier-imap/imapd.pem

with your PEM file.

If you have a chained cert, you need to do one more thing. You need to tell courier-imap about it. Backup and edit both of the following files:

/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl

and set the value TLS_TRUSTCERTS in each file to the path to the certificate chain. For example, drop a copy of the certificate chain into a file at:

/usr/share/courier-imap/chain.crt

and then set the value for TLS_TRUSTCERTS in the pop3d-ssl and imapd-ssl files like so:

TLS_TRUSTCERTS=/usr/share/courier-imap/chain.crt

now restart courier-imap:

service courier-imap restart

Qmail (smtps)

To setup your certificate for use with smtps, copy your PEM file to:

/var/qmail/control/servercert.pem

and if you have a CA certs, append them to that same file (so you should have all of the CA chained certs right after your own certificate in that file).

now restart qmail:

service qmail restart

Test everything

You can test these newly installed certificates to make sure everything is working with the following:

openssl s_client -connect [host]:993
openssl s_client -connect [host]:995
openssl s_client -connect [host]:465

Note that the imaps test (port 465) can take a while to respond when testing like this.

And, of course, you can test these (and should) by trying to use an actual email account to send and receive mail using these protocols.

Leave a Reply