Courier IMAP with perfect forward secrecy

Setup courier-imap mail server so it uses perfect forward secrecy.

Preface

With the ever ongoing revealing of nsa activities, it is a personal matter to make nsa's approach in listen to every possible communication as hard as possible.
Even tho your mails might not contain confidential information, it is wise to secure mail transport and retrieval.

It's pretty easy to setup courier with ssl. Just get a certificate or generate one yourself.
I advice to get certificates signed by trusted authorities.
https://www.startssl.com will do this for free. This way your mail clients won't complain about an unsecure certificate.

But with the heartbleed bug your private-key might have been revealed and the nsa can decipher all communication recorded before.

A way to prevent this in furture is perfect forward secrecy.

Check

Use openssl to check if your mail server supports perfect forward secrecy.


openssl s_client -connect yourmailserver:993
...
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
...


Cipher should start with "DHE" or "ECDHE" to ensure it uses perfect forward secrecy.

I checked my mail server and postfix worked with pfs out of box. It just needs a certificate and everything is fine. Courier-imap however did not support pfs.


openssl s_client -connect mymailserver:465
...
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
...


openssl s_client -connect mymailserver:993
...
New, TLSv1/SSLv3, Cipher is AES256-SHA
...

Solution

Reading through the net I found out courier needs a generated dh-key to support pfs.
A dh-key could already be in your certificate but in my case it was not.

First generate a dh-key with:


openssl dhparam -out dhkey.pem 2048

Second add the dh-key to your certificate.


cat dhkey.pem >> mycertificate.pem

Finally set your certificate with dh-key as TLS_DHCERTFILE in imapd-ssl.


# /etc/courier-imap/imapd-ssl
TLS_DHCERTFILE="/etc/courier-imap/mycertificate.pem"

Restart courier-imap and check again.


openssl s_client -connect mymailserver:993
...
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
...

Now courier-imap should support pfs.
Of course you should enable pfs for pop3 protocol too.
Just make the same adjustments in pop3d-ssl file.

No comments
Add comment

* - required field

*

*


CAPTCHA image for SPAM prevention
If you can't read the word, click here.
*
*

impressum - disclaimer