aerogramme.deuxfleurs.fr/content/documentation/cookbook/tls-encryption.md

+++
title = "TLS"
weight = 30
+++

In the [Configuration File](@/documentation/cookbook/config.md) page of the cookbook, we configure a cleartext IMAP service
that is unsecure, as anyone spying on the network can intercept the user's password.

## Activate IMAP TLS

You must replace the `[imap_unsecure]` block of your configuration file with a new `[imap]` block:

```toml
[imap]
bind_addr = "[::]:993"
certs = "cert.pem"
key = "key.pem"
```

## Generate self-signed certificates

If you want to quickly try the TLS endpoint, you can generate a self-signed certificate with openssl:

```bash
openssl ecparam -out key.pem -name secp256r1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem
```

This configuration is not secure as it is vulnerable to man-in-the-middle attacks.
It will also triggers a big red warning in many email clients, and sometimes it will even be impossible to configure an account.


## Generate valid certificates through Let's Encrypt

Automated certificate renewal has been popularized by Let's Encrypt through the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
Today, many certificate providers implement it, like ZeroSSL, Buypass Go SSL, or even Google Cloud.
Many clients that implement the ACME protocol exist (certbot, lego, etc.), [a very long list exist on LE website](https://letsencrypt.org/docs/client-options/).
Finally, certificates can be obtained in exchange of a validation, that can occur over HTTP (HTTP01 challenge) or DNS (DNS01 challenge).
This example will be given for Let's Encrypt with Lego for a DNS01 challenge with Gandi as the DNS provider.

```bash
GANDIV5_API_KEY=xxx \
GANDIV5_PERSONAL_ACCESS_TOKEN=xxx \
lego \
  --email you@example.tld \
  --dns gandiv5 \
  --domain example.tld \
  --domains imap.example.tld \
  --domains smtp.example.tld \
  run
```

*Note 1: theoretically only `GANDIV5_PERSONAL_ACCESS_TOKEN` should be required, but it did not work for me.*

*Note 2: we generate a certificate for the root domain and SMTP because it will simplify your testing while following the cookbook.
But if you already have a working email stack, it's not required.*


If the command ran successfully, you now have 2 files:
 - `.lego/certificates/example.tld.crt`
 - `.lego/certificates/example.tld.key`

You can directly use them in Aerogramme (the first one must be put on `certs` and the second one on `key`).
You must configure some way to automatically renew your certificates, the [lego documentation](https://go-acme.github.io/lego/usage/cli/renew-a-certificate/) explains how you can do it.
cookbook skeleton 2024-01-22 10:01:47 +00:00			`+++`
			`title = "TLS"`
			`weight = 30`
			`+++`

add tls encryption 2024-01-23 16:14:40 +00:00			`In the [Configuration File](@/documentation/cookbook/config.md) page of the cookbook, we configure a cleartext IMAP service`
			`that is unsecure, as anyone spying on the network can intercept the user's password.`

			`## Activate IMAP TLS`

			You must replace the `[imap_unsecure]` block of your configuration file with a new `[imap]` block:

			```toml
			`[imap]`
			`bind_addr = "[::]:993"`
			`certs = "cert.pem"`
			`key = "key.pem"`
			```

			`## Generate self-signed certificates`

			`If you want to quickly try the TLS endpoint, you can generate a self-signed certificate with openssl:`

			```bash
			`openssl ecparam -out key.pem -name secp256r1 -genkey`
			`openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem`
			```

			`This configuration is not secure as it is vulnerable to man-in-the-middle attacks.`
			`It will also triggers a big red warning in many email clients, and sometimes it will even be impossible to configure an account.`


			`## Generate valid certificates through Let's Encrypt`

			`Automated certificate renewal has been popularized by Let's Encrypt through the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).`
			`Today, many certificate providers implement it, like ZeroSSL, Buypass Go SSL, or even Google Cloud.`
			`Many clients that implement the ACME protocol exist (certbot, lego, etc.), [a very long list exist on LE website](https://letsencrypt.org/docs/client-options/).`
			`Finally, certificates can be obtained in exchange of a validation, that can occur over HTTP (HTTP01 challenge) or DNS (DNS01 challenge).`
			`This example will be given for Let's Encrypt with Lego for a DNS01 challenge with Gandi as the DNS provider.`

			```bash
			`GANDIV5_API_KEY=xxx \`
			`GANDIV5_PERSONAL_ACCESS_TOKEN=xxx \`
WIP doc 2024-01-23 19:21:03 +00:00			`lego \`
			`--email you@example.tld \`
			`--dns gandiv5 \`
			`--domain example.tld \`
			`--domains imap.example.tld \`
			`--domains smtp.example.tld \`
			`run`
add tls encryption 2024-01-23 16:14:40 +00:00			```

WIP doc 2024-01-23 19:21:03 +00:00			Note 1: theoretically only `GANDIV5_PERSONAL_ACCESS_TOKEN` should be required, but it did not work for me.

			`*Note 2: we generate a certificate for the root domain and SMTP because it will simplify your testing while following the cookbook.`
			`But if you already have a working email stack, it's not required.*`

add tls encryption 2024-01-23 16:14:40 +00:00
			`If the command ran successfully, you now have 2 files:`
WIP doc 2024-01-23 19:21:03 +00:00			- `.lego/certificates/example.tld.crt`
			- `.lego/certificates/example.tld.key`
add tls encryption 2024-01-23 16:14:40 +00:00
			You can directly use them in Aerogramme (the first one must be put on `certs` and the second one on `key`).
WIP doc 2024-01-23 19:21:03 +00:00			`You must configure some way to automatically renew your certificates, the [lego documentation](https://go-acme.github.io/lego/usage/cli/renew-a-certificate/) explains how you can do it.`