```
$ sudo --preserve-env openssl req -x509 -config ca.cnf -new -days 3650 -sha256 \
-newkey rsa:4096 -keyout private/ca.key -out ca.pem
+$ sudo --preserve-env openssl ca -gencrl -config ca.cnf -out crlfile
+$ sudo --preserve-env sh -c "cat ca.pem >> ca.crl"
+$ sudo --preserve-env sh -c "cat crlfile >> ca.crl"
```
Certificate
add an extensions [5].
```
-$ openssl req -config ca.cnf -new -key certs/private/<name>.key \
- -out certs/<name>.csr -extensions email_cert
-$ openssl x509 -req -days 365 -sha256 -CA ca.pem -CAkey private/ca.key \
- -next_serial -in certs/<name>.csr -out certs/<name>.crt \
- -extensions email_cert
+$ sudo --preserve-env openssl req -config ca.cnf -new \
+ -key certs/private/<name>.key -out certs/<name>.csr -extensions email_cert
+$ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
+ -CAkey private/ca.key -next_serial -in certs/<name>.csr \
+ -out certs/<name>.crt -extensions email_cert
```
Import
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
-#auth_ssl_require_client_cert = no
+auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
-#auth_ssl_username_from_cert = no
+auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain
+auth_mechanisms = plain login
##
## Password and user databases
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca =
+ssl_ca = <${ca_dir}/ca.crl
# Require that CRL check succeeds for client certificates.
-#ssl_require_crl = yes
+ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
mail_max_userip_connections = 5
+
+ auth_ssl_require_client_cert = yes
+ ssl_verify_client_cert = yes
}
$ chown vmail:vmail /var/log/{dovecot.log,dovecot-info.log}
```
+Create mailboxes.
+
+```
+$ doveadm mailbox create -u <user> Trash
+```
+
Administration
--------------
smtpd_reject_unlisted_sender = yes
# HELO command
-smtpd_helo_restrictions = reject_invalid_helo_hostname,
- reject_non_fqdn_helo_hostname
+smtpd_helo_restrictions = permit_sasl_authenticated,
+ reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_helo_required = yes
# Message rewrite
projects / server.git / commitdiff