One of the great new additions to Tiger Server is the ability to easily create self-signed SSL certificates to secure services such as LDAP, Jabber IM, and mail. This article will cover my own implementation of SSL for mail services, however, it will probably be helpful to anyone wishing to secure mail services on their Tiger Server.
(Ed. Note: On our list of articles we should be working on includes one on Certificate Assistant which will allow for better control of your SSL certificates then Server Admin allows. But in the mean time this is a great overview of how to get SSL started on Tiger.)
The first step in securing mail services is to create a certificate for your mail server. You can obtain a certificate from a recognized root authority for a price, or you can create your own self-signed certificate. Because of the low volume of traffic and few users I host, I chose a self-signed certificate.
Here’s how to create one:
- Start Server Admin.
- Select the server where you wish to create the certificate.
- Select the Settings tab on the bottom.
- Select the Certificates tab on the top.
- Click + to add a certificate.
- In the Common Name text box, enter the fully-qualified domain name of your mail server.
- Fill in the rest of the information as appropriate.
- In my opinion, Private Key Size should be set to at least 1024, which is the default.
- The Private Key Passphrase is used to secure the private key, should you choose to export it in the future. Filling in a value here is optional.
- Click Save.
A certificate named after your mail server should now be present under the Certificates tab, and the authority should be Self Signed.
Next, the certificate has to be assigned to the mail server process.
- Click Mail under the Computers & Services column in Server Admin.
- Click the Advanced tab on the top.
- Click the Security sub-tab.
- There are four drop-down menus under the Secure Sockets Layer (SSL) subhead. These drop-downs select whether SSL can be used, and if so, what certificates are relevant. When selecting whether to use SSL, Use means that SSL can be used, but it’s not required. Required means that SSL is, um, required to connect to the server. I’ll let you guess what the default of Don’t Use means.
- After selecting whether to use or require SSL, select the relevant certificate via the drop-down immediately to the right.
- Click Save.
(Ed. Note: It’s common to require SSL for POP and IMAP but just use SSL for SMTP. Otherwise you’ll most likely miss a lot of incoming mail as many other servers don’t have SSL capabilities. Also note that requiring SSL for IMAP will break Squirrelmail web access unless you reconfigure Squirrelmail.)
All ready to go! Well, usually. I ran into a snag. See, I upgraded my server from 10.3.9 to 10.4, and as outlined in this Apple KB article, a netinfo group called certusers wasn’t created. The fact that this group is missing causes errors in the system log:
Jul 7 12:19:14 kitty imaps: TLS server engine: cannot load cert/key data
Jul 7 12:19:14 kitty imaps: error initializing TLS
Jul 7 12:19:14 kitty imaps: Fatal error: tls_init() failed
This problem is easy to correct. The following command needs to be issued in the Terminal to create the group:
echo 'certusers:*:29:root,jabber,postfix,cyrusimap' | sudo niload group .
Restart the server. SSL-enabled mail should be working. Be sure to set up your mail client to use SSL SMTP and POP or IMAP, and open TCP port 993 in your firewall if necessary.
The first time you check your SSL-enabled mail, an alert will likely appear notifying you that the certificate from the mail server is not from a root certificate authority. That’s no problem. The certificate needs to be added to the X509Anchors keychain so that you will not be prompted each time the client encounters it. Here are the instructions to do that with Mail 2.0.
- When the certificate notification pops up, click the Show Certificate button.
- Drag the certificate icon to the desktop.
- Double-click the non-descript certificate icon (ending in .cer) that you just placed on the desktop. Keychain Access should appear.
- A dialog will appear asking if you want to add the new certificate to a keychain. Select the X509Anchors keychain from the drop-down and press OK.
You should no longer be prompted to accept the certificate. Mail will now accept it automatically because it’s contained in the X509Anchors keychain.