IMAP Security - encryption and authentication

Security as it relates to IMAP implementations fall mainly into two categories - authentication, and encryption.

There a several ways to handle the authentication requirements. Basic IMAP authentication is no more secure than POP3 - it simply involves the passing of userid and password across the network as clear text.

As mentioned, the SASL library provides several methods by which this can be solved, allowing cryptographic challenge/response authentication methods to be tied in with a number of different authentication backends. However, this still provides no actual data security - message content is not encrypted if using these schemes.

To encrypt all communication between the client and server, it is necessary to use an SSL connection. Cyrus provides hooks for this, and can be compiled with support for IMAP/SSL via the use of the OpenSSL libraries.

The simplest method of setting this up is to use a self signed key. This can be prepared as follows:-

$ openssl req -new -x509 -nodes -out /var/imap/server.pem \
 -keyout /var/imap/server.pem -days 365

This generates a self-signed X509 certificate and private key pair in PEM format, which can be used to add SSL support to Cyrus with the following procedure.

Uncomment the imaps service definition in /etc/cyrus.conf, and add the following lines to /etc/imapd.conf:-

tls_cert_file: /var/imap/server.pem
tls_key_file: /var/imap/server.pem

For a more comprehesnive setup of this support, which can be useful if you intend to use SSL certs with several applications, you can use the OpenSSL toolkit to create your own certificate authority. You can then use this to sign all the SSL certs you generate. Doing this allows you to import the CSA public key into your browser/client, and then all the certificates signed with the corresponding private key will be accepted without bringing up confirmation dialog boxes. Created a RSA key using openssl. This will be the key for our local certifying authority.

• First, create an RSA key pair for the CA

  ./openssl genrsa -des3 -out ../private/ca.key 1024
  warning, not much extra random data, consider using the -rand option
  Generating RSA private key, 1024 bit long modulus
  ............++++++
  ..............................++++++
  e is 65537 (0x10001)
  Enter PEM pass phrase:
  Verifying password - Enter PEM pass phrase:
  

• Using this key, generated an X509 certificate for the CA:-

  ./openssl req -new -x509 -days 365 -key ../private/ca.key -out ../private/ca.crt
  Using configuration from /usr/local/ssl/openssl.cnf
  Enter PEM pass phrase:
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:UK
  State or Province Name (full name) [Some-State]:England
  Locality Name (eg, city) []:London
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:Trusted Certs. Inc.
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:Joe User
  Email Address []:joe@company.com
  

• Create another RSA key, as above - this one for the server. Then created a Certificate Signing Request, as follows:-

  # ./openssl req -new -key ../private/server.key -out ../private/server.csr
  Using configuration from /usr/local/ssl/openssl.cnf
  Enter PEM pass phrase:
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:UK
  State or Province Name (full name) [Some-State]:England
  Locality Name (eg, city) []:London
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Organizational Unit Name (eg, section) []:
  Common Name (eg, YOUR name) []:bifrost.altair.nexus
  Email Address []:mike@coruscant.demon.co.uk
  
  Lastly, sign your newly created CSR. The Apache mod_ssl 
  package comes with a set of scripts that configures OpenSSL correctly to do this. Use of these is
  recommended...
  
  # /usr/src/mod_ssl-2.8.1-1.3.19/pkg.contrib/sign.sh server.csr 
  CA signing: server.csr -> server.crt:
  Using configuration from ca.config
  Enter PEM pass phrase:
  Check that the request matches the signature
  Signature ok
  The Subjects Distinguished Name is as follows
  countryName           :PRINTABLE:'UK'
  stateOrProvinceName   :PRINTABLE:'England'
  localityName          :PRINTABLE:'London'
  organizationName      :PRINTABLE:'Internet Widgits Pty Ltd'
  commonName            :PRINTABLE:'bifrost.altair.nexus'
  emailAddress          :IA5STRING:'mike@coruscant.demon.co.uk'
  Certificate is to be certified until Mar 18 02:15:39 2002 GMT (365 days)
  Sign the certificate? [y/n]:y
  
  

To use this certificate, proceed as with the self-signed cert, also adding to the imapd.conf file a directive specifying the location of the X509 certificate of the CA.

tls_ca_file: /var/imap/ssl/ca.crt

You will need to import the certificate into your client's registry of known CA's. With Netscape, this is done be serving the certificate up via HTTP, with the appropriate mime-type. The following perl CGI will do this for you.

#!/usr/bin/perl
print "Content-type: application/x-x509-ca-cert\n\n";

open(CERTIFICATE, "/usr/local/ssl/private/ca.crt") || die "Unable to open cert\n";

foreach () {
        print;
}