Enabling Secure IMAP with UW IMAP

1. Obtain a certificate, using the server name for the Common Name (CN). This name should correspond to what the clients (Outlook, Mozilla, etc) are using as their POP3 or IMAP server setting.

   Upon completion you will have a private-key file (host.key) and public-key (certificate) file (host.cert). Rename the files as needed, or adjust the values in the next step.

2. Create a PEM file which is the combined certificate and private-key. (Note: location may vary, check /var/log/messages after trying connection)

   cat host.cert host.key > /usr/local/ssl/certs/imapd.pem
   

3. Now ensure that you have the proper entries in inetd.conf (this example is from FreeBSD).

   imaps   stream  tcp     nowait  root    /usr/local/libexec/imapd    imapd
   

   If you are using xinetd, check in /etc/xinetd.d/imaps instead. The imaps defaults to off, so you probably will need to change the disable = line.

   # description: The IMAPS service allows remote users to access their mail \
   #              using an IMAP client with SSL support such as Netscape \
   #              Communicator or fetchmail.
   service imaps
   {
           socket_type             = stream
           wait                    = no
           user                    = root
           server                  = /usr/sbin/imapd
           log_on_success  += HOST DURATION
           log_on_failure  += HOST
           disable                 = no
   }
   

4. Restart inetd...

   killall -HUP inetd

   or xinetd...

   /etc/init.d/xinetd restart

5. To enable certificate trust to work correctly, you may need to load the signing certificate (aka CA certificate) onto each client. You may download the Credentia CA certificate from here. Other CA certificates (VeriSign, Thawte, Geotrust etc) are typically already inside the certificate store.

6. Now fire up the email client, set it to use SSL for IMAP (port 993).

See Also