We will implement OpenSSL with IMAP. For this you need to have dovecot installed on your server and mutt on client side.

[root@security1 ~]# yum -y install dovecot

After this set up dovecot just to use imaps. And open ports for imaps in firewall. With your favorite editor open /etc/dovecot.conf for editing and make your protocol line looks mine:

protocols = imaps

Let's see on which port imaps listen.

[root@security1 ~]# cat /etc/services | grep imaps
imaps 993/tcp # IMAP over SSL
imaps 993/udp # IMAP over SSL
[root@security1 ~]# iptables -A SECURITY -p tcp -s --dport 993 -j ACCEPT
[root@security1 ~]# iptables -A SECURITY -p udp -s --dport 993 -j ACCEPT
[root@security1 ~]# service iptables save

After this we will modify a script for making certs for dovecot.

[root@security1 ~]# cp /usr/share/doc/dovecot-1.0.7/examples/mkcert.sh /root/

Also, modify script according to our system (/root/mkcert.sh)


When you install dovecot he will make /etc/pki/dovecot, with his subfolder. If you look in mkcert.sh you will see that in subfolders already has dovecot.pem. To avoid misunderstand you should remove it from system

[root@security1 dovecot]# rm -fr /etc/pki/dovecot/{certs,private}/dovecot.pem

Add execute role to mkcert.sh and start script.

[root@security1 ~]# chmod +x mkcert.sh
[root@security1 ~]# sh mkcert.sh

After this restart dovecot and set up to start when system boots.Now we need to setup a client side. On server and client side I have a user anna, and we will configure mutt to use IMAPS for this account. Log in as anna, and make directory .mutt, and inside him muttrc file with next content

set folder = imaps://security1.setenforce.com/
set spoolfile = imaps://security1.setenforce.com/
set imap_force_ssl = yes

If you start mutt now like user anna you should see that dovecot use self-signed certificate, and detail for that certificate. Reject that certificate, because we will make certificate which will be signed by your CA. As in example with make own CA, we will need, first, to make dovecot.key.

[root@security1 student]# umask 077
[root@security1 student]# openssl genrsa -out dovecot.key 2048

OK, now we need to create a new signing request

[root@security1 student]# openssl req -new -key dovecot.key -out dovecot.csr

Now, as CA you need to sign request.

[root@security1 student]# openssl ca -in dovecot.csr -out dovecot.crt
[root@security1 student]# cp dovecot.key /etc/pki/dovecot/
[root@security1 student]# cp dovecot.crt /etc/pki/dovecot/
[root@security1 student]# cd /etc/pki/dovecot/
[root@security1 dovecot]# cp dovecot.key private/dovecot.pem
[root@security1 dovecot]# cat dovecot.csr >> private/dovecot.pem
[root@security1 dovecot]# cp private/dovecot.pem certs/dovecot.pem
[root@security1 dovecot]# /etc/init.d/dovecot restart

After this you just add certificate to anna's .mutt directory. Open for editing anna's muttrc file and add next:

set certificate_file = ~/certificate.crt Path to cert

It's time to try sending mail to anna. Do next:

[root@security1 dovecot]# echo "proba maila" | mail -s probica anna

Look for mail on security2. It should work :)