[CentOS] Self signed certs, openssl dovecot

Fri Jul 24 22:28:20 UTC 2009
Paul Heinlein <heinlein at madboa.com>

On Fri, 24 Jul 2009, Bob Hoffman wrote:

>>> Comes down I believe to the need to get a CA for dovecot's pem 
>>> files or I will always get an error.
>>
>> You've got to tell your mail client to trust either the dovecot 
>> certificate or the CA cert that signed it.
>>
>> The procedure for doing so varies with your mail client. The 
>> message you sent to the list came from Outlook. Is that the client 
>> you typically use?
>
> Trying not to buy a ssl for my private mail, doesn't seem like 
> something you would need just to get access to your own mail, so no 
> trusted CA there (ssh does not require trusted dang it).
>
> The idea floated as a thought in some channels is to make a sort of 
> self-trusted CA on your server for dovecot. But no examples of this 
> can be found, so if anyone has knowledge, all ears here.

The easy-rsa scripts that ship with OpenVPN might be helpful to you. 
Grab the latest openvpn distribution:

   http://openvpn.net/index.php/open-source/downloads.html

Then have a look at the easy-rsa instructions:

   http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

You'll end up with a roll-your-own certificate authority (CA) and 
scripts to build a certificate for your dovecot server.

Then use the Window key-management system to import the CA's public 
certificate. At that point Outlook ought to trust your dovecot 
certificate.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/