add tls encryption

This commit is contained in:
Quentin 2024-01-23 17:14:40 +01:00
parent 78cf72dde2
commit 2a84690647
Signed by: quentin
GPG key ID: E9602264D639FF68

View file

@ -3,4 +3,51 @@ title = "TLS"
weight = 30 weight = 30
+++ +++
Todo In the [Configuration File](@/documentation/cookbook/config.md) page of the cookbook, we configure a cleartext IMAP service
that is unsecure, as anyone spying on the network can intercept the user's password.
## Activate IMAP TLS
You must replace the `[imap_unsecure]` block of your configuration file with a new `[imap]` block:
```toml
[imap]
bind_addr = "[::]:993"
certs = "cert.pem"
key = "key.pem"
```
## Generate self-signed certificates
If you want to quickly try the TLS endpoint, you can generate a self-signed certificate with openssl:
```bash
openssl ecparam -out key.pem -name secp256r1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem
```
This configuration is not secure as it is vulnerable to man-in-the-middle attacks.
It will also triggers a big red warning in many email clients, and sometimes it will even be impossible to configure an account.
## Generate valid certificates through Let's Encrypt
Automated certificate renewal has been popularized by Let's Encrypt through the [ACME protocol](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment).
Today, many certificate providers implement it, like ZeroSSL, Buypass Go SSL, or even Google Cloud.
Many clients that implement the ACME protocol exist (certbot, lego, etc.), [a very long list exist on LE website](https://letsencrypt.org/docs/client-options/).
Finally, certificates can be obtained in exchange of a validation, that can occur over HTTP (HTTP01 challenge) or DNS (DNS01 challenge).
This example will be given for Let's Encrypt with Lego for a DNS01 challenge with Gandi as the DNS provider.
```bash
GANDIV5_API_KEY=xxx \
GANDIV5_PERSONAL_ACCESS_TOKEN=xxx \
lego --email you@example.tld --dns gandiv5 --domains imap.example.tld --domains smtp.example.tld run
```
*Note: theoretically only `GANDIV5_PERSONAL_ACCESS_TOKEN` should be required, but it did not work for me.*
If the command ran successfully, you now have 2 files:
- `.lego/certificates/imap.example.tld.crt`
- `.lego/certificates/imap.example.tld.key`
You can directly use them in Aerogramme (the first one must be put on `certs` and the second one on `key`).