DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway - SSL setup Mickael Guessant

SSL is not necessary when DavMail is used in workstation mode, as communication between clients and DavMail remain local. However, in server (shared) mode e.g. with a smartphone connecting to DavMail over the internet, you should make sure encryption is enabled.

The simplest way to secure communication between mail/calendar clients and DavMail is to create a self signed certificate:

keytool -genkey -keyalg rsa -keysize 2048 -storepass password -keystore davmail.p12 -storetype pkcs12 -validity 3650 -dname cn=davmailhostname.company.com,ou=davmail,o=sf,o=net

Note to iPhone users: iOS does not support the default DSA algorithm, make sure you use an RSA key pair

Another note : do not use blank passwords, both keystore and key passwords must be set

If you have an official certificate in PEM form, convert it to PKCS12 with the following command:

openssl pkcs12 -export -in cert-davmail.pem -inkey privatekey-davmail.key -certfile chain-davmail.pem -out davmail.p12

Then add this keystore to DavMail settings:

If your already have your keystore in JKS format, just set keystoreType to JKS in DavMail settings. keystorePass is the password used to open the KeyStore, keyPass protects the private key inside the KeyStore. With PKCS12, keyPass and keystorePass are often identical.

Restart DavMail, all DavMail listeners will switch to secure mode: POP3S/IMAPS/SMTPS/HTTPS/LDAPS. You will also need to enable SSL in client applications and manually accept the certificate as it's not signed by a trusted Certification Authority.

Custom certificate authority

Most users rely on the interactive accept certificate dialog to handle non public certificate authorities. However, this will not work with an Exchange server cluster with a different certificate on each server. In this case, you need to update global Java truststore with the custom certificate authority:

keytool -import -alias root -keystore /path/to/jre/lib/security/cacerts -trustcacerts -file rootca.crt -storepass changeit -noprompt

Client certificate

In most cases, using https in OWA url is enough to secure communication between DavMail and Exchange. However, with Exchange servers setup to require mutual authentication, you will have to register your client certificate in DavMail settings, either through PKCS11 (smartcard) or file certificate.

To use a client certificate provided as a PKCS12 file, set the following keys in DavMail:

For a smartcard, first make sure you PKCS11 module is correctly installed by testing mutual authentication through a browser. Then set the following properties in DavMail:

PKCS11 library is the full path to the PKCS11 module (.so on Unix, .dll on windows) or simple library name if PATH (Windows) or LD_LIBRARY_PATH (Unix) already contains the full path. Add any additional PKCS11 parameter in PKCS11 Config parameter, e.g. slot = 2.

To adjust your settings, you can try to access the smartcard with java keytool. First create a file named pkcs11.config with the following lines:

and list certificates with keytool:

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11.config -list -v

Sample pkcs11.config for NSS Soft token (Thunderbird/Firefox):

Another one for Coolkey (see Coolkey for Debian and United States Department of Defense Common Access Cards):

Note that spaces in library path may break Sun PKCS11, use C:\Progra~2\ActivIdentity\ActivClient\acpkcs211.dll instead of C:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll

More details on java PKCS11 setup in Sun PKCS11 guide