As always, Sentora does not care about security and SSL stuff for its users. So by default, dovecot provided by Sentora listens on port 110(POP) and port 143(IMAP) and the communication thru the ports is not encrypted. We have learned how to enable https and use sftp for sentora. Today we will learn how to secure dovecot with SSL for sentora.
The SSL configuration for dovecot is, however, straightforward. I followed this guide to set up TLS for Dovecot.
# don't allow non-TLS connections for IMAP or SASL
ssl = required
disable_plaintext_auth = yes
# path to the certificate file, should be root:root and 0444
ssl_cert = </path/to/fullchain.pem
# path to the private key file, should be root:root and 0400
ssl_key = </path/to/privkey.pem
There is a typo(the “<” before the ssl certification file path and the ssl key file path, which is typed as “
&lt;“) in the original post, so if you simply copy that configuration and paste it at the end of /etc/dovecot/dovecot.conf(this is a symbolic link to /etc/sentora/configs/dovecot2/dovecot.conf), you will have problem. The problem is not obvious. If you type “netstat -antp|grep dovecot”, you will see dovecot is now listening on the port 995(for POP3S) and port 993(for IMAPS) in addition to the port 110 and 143. But when you set up email client to retrieve emails, you’ll find it just does not work . Outlook express pop3 client will report the error:0x800ccc0f and outlook imap client reports nothing but jut can not retrieve any email from the server.
To debug the problem, you should know where the dovecot log is. The location of dovecot log is :/var/log/dovecot.log. You can find the following error in it:
imap-login: Fatal: Couldn’t parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
This is caused by the incorrect ssl key file path specified in /etc/dovecot/dovecot.conf. Using our corrected version of the configuration, the error will disappear and both pop3 client and IMAP client will work normally.