Server keystore (Client to DavMail)

SSL is not necessary when DavMail is used in workstation mode, as communication between clients and DavMail remain local. However, in server (shared) mode e.g. with a smartphone connecting to DavMail over the internet, you should make sure encryption is enabled.

The simplest way to secure communication between mail/calendar clients and DavMail is to create a self signed certificate:

keytool -genkey -keyalg rsa -keysize 2048 -storepass password -keystore davmail.p12 -storetype
                    pkcs12 -validity 3650 -dname cn=davmailhostname.company.com,ou=davmail,o=sf,o=net
                

Note to iPhone users: iOS does not support the default DSA algorithm, make sure you use an RSA key pair

Another note : do not use blank passwords, both keystore and key passwords must be set

If you have an official certificate in PEM form, convert it to PKCS12 with the following command:

openssl pkcs12 -export -in cert-davmail.pem -inkey privatekey-davmail.key -certfile
                    chain-davmail.pem -out davmail.p12
                

Then add this keystore to DavMail settings:

davmail.ssl.keystoreType=PKCS12
davmail.ssl.keyPass=password
davmail.ssl.keystoreFile=davmail.p12
davmail.ssl.keystorePass=password

If your already have your keystore in JKS format, just set keystoreType to JKS in DavMail settings. keystorePass is the password used to open the KeyStore, keyPass protects the private key inside the KeyStore. With PKCS12, keyPass and keystorePass are often identical.

Restart DavMail, all DavMail listeners will switch to secure mode: POP3S/IMAPS/SMTPS/HTTPS/LDAPS. You will also need to enable SSL in client applications and manually accept the certificate as it's not signed by a trusted Certification Authority.

Improving DavMail TLS listener security level

In order to improve TLS security, DavMail internally forces the following parameters:

jdk.tls.rejectClientInitiatedRenegotiation=true
jdk.tls.ephemeralDHKeySize=2048

As DavMail is a java application, you can further improve security level means by java security properties. Edit jre/lib/security/java.security and adjust the following line to your requirements:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224

Alternative: create a custom java.security file with the above line and tell DavMail to use it:

-Djava.security.properties=/path/to/java.security

DavMail to Exchange

Custom certificate authority

Most users rely on the interactive accept certificate dialog to handle non public certificate authorities. However, this will not work with an Exchange server cluster with a different certificate on each server. In this case, you need to update global Java truststore with the custom certificate authority:

keytool -import -alias root -keystore /path/to/jre/lib/security/cacerts -trustcacerts -file rootca.crt -storepass changeit -noprompt

Client certificate

In most cases, using https in OWA url is enough to secure communication between DavMail and Exchange. However, with Exchange servers setup to require mutual authentication, you will have to register your client certificate in DavMail settings, either through PKCS11 (smartcard) or file certificate.

To use a client certificate provided as a PKCS12 file, set the following keys in DavMail:

davmail.ssl.clientKeystoreType=PKCS12
davmail.ssl.clientKeystoreFile=client.p12
davmail.ssl.clientKeystorePass=password

For a smartcard, first make sure you PKCS11 module is correctly installed by testing mutual authentication through a browser. Then set the following properties in DavMail:

davmail.ssl.clientKeystoreType=PKCS11
davmail.ssl.pkcs11Library=/full/path/to/pkcs11Module
davmail.ssl.pkcs11Config=

PKCS11 library is the full path to the PKCS11 module (.so on Unix, .dll on windows) or simple library name if PATH (Windows) or LD_LIBRARY_PATH (Unix) already contains the full path. Add any additional PKCS11 parameter in PKCS11 Config parameter, e.g. slot = 2.

To adjust your settings, you can try to access the smartcard with java keytool. First create a file named pkcs11.config with the following lines:

name = moduleName
library = /path/to/pkcs11module

and list certificates with keytool:

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11.config -list -v

Sample pkcs11.config for NSS Soft token (Thunderbird/Firefox):

name=NSS
library=softokn3
nssArgs="configdir='/path/to/firefox/profile' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly"
slot = 2

Another one for Coolkey (see Coolkey for Debian and United States Department of Defense Common Access Cards):

name=CoolKey
library=/usr/cac/lib/pkcs11/libcoolkeypk11.so

Note that spaces in library path may break Sun PKCS11, use C:\Progra~2\ActivIdentity\ActivClient\acpkcs211.dll instead of C:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll

More details on java PKCS11 setup in Sun PKCS11 guide