How do I setup a SSL mail server?
For a beginner, can anyone recommend a good method of setting up a encrypted IMAP server (on port 993) or at least TLS POP3 email ? There are plenty of examples of opportunistic client side email encryption with PGP or FireGPG or Enigmail, but that is not the answer I am looking for because swapping keys is complicated for some users (and it needs to be useable by everyone, not just some)
I would basically like to know how to setup a company of 50 people with encrypted email , using a self-signed company cert, so that they can connect with Thunderbird without any additional configuration necessary.
Or, something a little like the experience you get when connecting to Gmail TLS email using Thunderbird.
A simple pointing in the right direction may get rewarded as an answer.
I'd do this with Dovecot, although you didn't mention your preferred OS. The configuration is relatively straightforward.
(hint: /etc/dovecot/dovecot.conf, configure protocols, ssl_cert_file, and ssl_key_file).
A couple of caveats that you may already be aware of:
Don't use a self signed cert. Make your own CA and distribute that around, or find a cheapo SSL cert from Comodo or GoDaddy or someone.
This isn't a full-fledged solution like GPG is. pops and imaps only secure the email in transit from your email server to the client. The email will remain in clear text pretty much everywhere else -- while in rest on the server or client, on other people's networks, and printed out. That's not to say this isn't worthwhile, but don't pretend it's all you need to do.
It's usually as simple as creating a certificate (either a self-signed one, or buying a SSL certificate from a vendor), pointing your mail server's configuration file at the files containing the certificate and private key, enabling TLS, and optionally setting the mail server to deny logins which aren't using TLS/SSL.
I use Dovecot for IMAP and POP, and the instructions on their wiki are fairly comprehensive.
All I had to add to Debian's default Dovecot configuration to enable TLS was:
ssl_cert_file = /path/to/mail_cert.pem
ssl_key_file = /path/to/mail_privatekey.pem
It's going to be very specific to your mailserver of choice. But a couple of additional pointers:
IMAPS on port 993 is SSL, rather than TLS. The difference is that SSL negotiates encryption from the off. Whereas TLS negotiates encryption on top of a plaintext channel. One isn't necessarily worse than the other, but it's important to differentiate their behaviour. IMAP is better suited to the former.
In addition to securing IMAP you also want to secure mail that your users send to the server. This means placing a restriction that relayed (not to local accounts) messages come in over TLS and additionally they should be authenticated with SMTP AUTH.
Lastly, you can opt to relay messages to other public servers using TLS, where they support it. Not all do. But by making the option available you can secure a portion of your outbound mail while it's in transit of the first hop.