aerogramme.deuxfleurs.fr/content/documentation/cookbook/tls-encryption.md

65 lines
2.6 KiB
Markdown
Raw Normal View History

2024-01-22 10:01:47 +00:00
+++
title = "TLS"
weight = 30
+++
2024-01-23 16:14:40 +00:00
In the [Configuration File](@/documentation/cookbook/config.md) page of the cookbook, we configure a cleartext IMAP service
that is unsecure, as anyone spying on the network can intercept the user's password.
## Activate IMAP TLS
You must replace the `[imap_unsecure]` block of your configuration file with a new `[imap]` block:
```toml
[imap]
bind_addr = "[::]:993"
certs = "cert.pem"
key = "key.pem"
```
## Generate self-signed certificates
If you want to quickly try the TLS endpoint, you can generate a self-signed certificate with openssl:
```bash
openssl ecparam -out key.pem -name secp256r1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem
```
This configuration is not secure as it is vulnerable to man-in-the-middle attacks.
It will also triggers a big red warning in many email clients, and sometimes it will even be impossible to configure an account.
## Generate valid certificates through Let's Encrypt
Automated certificate renewal has been popularized by Let's Encrypt through the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
Today, many certificate providers implement it, like ZeroSSL, Buypass Go SSL, or even Google Cloud.
Many clients that implement the ACME protocol exist (certbot, lego, etc.), [a very long list exist on LE website](https://letsencrypt.org/docs/client-options/).
Finally, certificates can be obtained in exchange of a validation, that can occur over HTTP (HTTP01 challenge) or DNS (DNS01 challenge).
This example will be given for Let's Encrypt with Lego for a DNS01 challenge with Gandi as the DNS provider.
```bash
GANDIV5_API_KEY=xxx \
GANDIV5_PERSONAL_ACCESS_TOKEN=xxx \
2024-01-23 19:21:03 +00:00
lego \
--email you@example.tld \
--dns gandiv5 \
--domain example.tld \
--domains imap.example.tld \
--domains smtp.example.tld \
run
2024-01-23 16:14:40 +00:00
```
2024-01-23 19:21:03 +00:00
*Note 1: theoretically only `GANDIV5_PERSONAL_ACCESS_TOKEN` should be required, but it did not work for me.*
*Note 2: we generate a certificate for the root domain and SMTP because it will simplify your testing while following the cookbook.
But if you already have a working email stack, it's not required.*
2024-01-23 16:14:40 +00:00
If the command ran successfully, you now have 2 files:
2024-01-23 19:21:03 +00:00
- `.lego/certificates/example.tld.crt`
- `.lego/certificates/example.tld.key`
2024-01-23 16:14:40 +00:00
You can directly use them in Aerogramme (the first one must be put on `certs` and the second one on `key`).
2024-01-23 19:21:03 +00:00
You must configure some way to automatically renew your certificates, the [lego documentation](https://go-acme.github.io/lego/usage/cli/renew-a-certificate/) explains how you can do it.