Hey All,
Thought we could do some good for this community by posting some of the things we have done to get Interworx up and running with our POP3-SSL and IMAP-SSL users.
The default SSL certificates for Interworx’s POP3 and IMAP servers refuse to work in some e-mail clients due to the fact that the CA (Certifying Authoritity) and the Certificate owner have the same information. This is most notable in Mozilla Tunderbird (version 0.9). Thunderbird will connect successfully over SSL, however it will return an error and refuse to proceed due to the CA and the Certificate owner being the same.
In order to get around this problem you will need to generate new .pem files for the POP3 and IMAP servers. Here we go:
Delete The Current Certificates
In order to generate the new certificates we need to delete the current SSL certificates
cd /usr/share/courier/
rm imapd.pem
rm pop3d.pem
Edit The SSL Config Files
In order for the generation script to use the correct information while creating the SSL files we need to specify the contact/server name information in the SSL config file
cd /etc/courier
// backup the existing .cnf files
cp pop3d.cnf pop3d-old.cnf
cp imapd.cnf imapd-old.cnf
vi pop3d.cnf
// this is our edited pop3 config file
// replace yourserver and domain.com with your own values
[ req_dn ]
C=US
ST=IL
L=Chicago
O=Your Mail Server
OU=Automatically-generated IMAP SSL key
CN=yourserver.domain.com
emailAddress=postmaster@domain.net
vi imapd.cnf
// this is our edited imap config file
// replace yourserver and domain.com with your own values
[ req_dn ]
C=US
ST=IL
L=Chicago
O=Your Mail Server
OU=Automatically-generated IMAP SSL key
CN=yourserver.domain.com
emailAddress=postmaster@domain.net
Almost There…Generating The New Certificates
All we have to do now is generate the new .pem files!
cd /usr/share/courier/
./mkimapdcert
./mkpop3dcert
Restart The IMAP and POP3 Servers
In order for the certs to become live we need to restart the services
service pop3-ssl restart
service imap4-ssl restart
That should be it. Your Thunderbird clients should now be able to connect over SSL to your mail server.
It is important to note that if you have your own “real” SSL certificate that you paid for replacing the .pem files located in /usr/share/courier/ and restarting pop3-ssl and imap4-ssl should work just fine.
Hope this helps someone,
Peter