SSL is not necessary when DavMail is used in workstation mode, as communication between clients and DavMail remain local. However, in server (shared) mode e.g. with a smartphone connecting to DavMail over the internet, you should make sure encryption is enabled.
The simplest way to secure communication between mail/calendar clients and DavMail is to create a self signed certificate:
keytool -genkey -keyalg rsa -keysize 2048 -storepass password -keystore davmail.p12 -storetype pkcs12 -validity 3650 -dname cn=davmailhostname.company.com,ou=davmail,o=sf,o=net
Note to iPhone users: iOS does not support the default DSA algorithm, make sure you use an RSA key pair
Another note : do not use blank passwords, both keystore and key passwords must be set
If you have an official certificate in PEM form, convert it to PKCS12 with the following command:
openssl pkcs12 -export -in cert-davmail.pem -inkey privatekey-davmail.key -certfile chain-davmail.pem -out davmail.p12
Then add this keystore to DavMail settings:
davmail.ssl.keystoreType=PKCS12 davmail.ssl.keyPass=password davmail.ssl.keystoreFile=davmail.p12 davmail.ssl.keystorePass=password
If your already have your keystore in JKS format, just set keystoreType to JKS in DavMail settings. keystorePass is the password used to open the KeyStore, keyPass protects the private key inside the KeyStore. With PKCS12, keyPass and keystorePass are often identical.
Restart DavMail, all DavMail listeners will switch to secure mode: POP3S/IMAPS/SMTPS/HTTPS/LDAPS. You will also need to enable SSL in client applications and manually accept the certificate as it's not signed by a trusted Certification Authority.
Improving DavMail TLS listener security level
In order to improve TLS security, DavMail internally forces the following parameters:
jdk.tls.rejectClientInitiatedRenegotiation=true jdk.tls.ephemeralDHKeySize=2048
As DavMail is a java application, you can further improve security level means by java security properties. Edit jre/lib/security/java.security and adjust the following line to your requirements:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC keySize < 224
Alternative: create a custom java.security file with the above line and tell DavMail to use it:
-Djava.security.properties=/path/to/java.security
Custom certificate authority
Most users rely on the interactive accept certificate dialog to handle non public certificate authorities. However, this will not work with an Exchange server cluster with a different certificate on each server. In this case, you need to update global Java truststore with the custom certificate authority:
keytool -import -alias root -keystore /path/to/jre/lib/security/cacerts -trustcacerts -file rootca.crt -storepass changeit -noprompt
Client certificate
In most cases, using https in OWA url is enough to secure communication between DavMail and Exchange. However, with Exchange servers setup to require mutual authentication, you will have to register your client certificate in DavMail settings, either through PKCS11 (smartcard) or file certificate.
To use a client certificate provided as a PKCS12 file, set the following keys in DavMail:
davmail.ssl.clientKeystoreType=PKCS12 davmail.ssl.clientKeystoreFile=client.p12 davmail.ssl.clientKeystorePass=password
For a smartcard, first make sure you PKCS11 module is correctly installed by testing mutual authentication through a browser. Then set the following properties in DavMail:
davmail.ssl.clientKeystoreType=PKCS11 davmail.ssl.pkcs11Library=/full/path/to/pkcs11Module davmail.ssl.pkcs11Config=
PKCS11 library is the full path to the PKCS11 module (.so on Unix, .dll on windows) or simple library name if PATH (Windows) or LD_LIBRARY_PATH (Unix) already contains the full path. Add any additional PKCS11 parameter in PKCS11 Config parameter, e.g. slot = 2.
To adjust your settings, you can try to access the smartcard with java keytool. First create a file named pkcs11.config with the following lines:
name = moduleName library = /path/to/pkcs11module
and list certificates with keytool:
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11.config -list -v
Sample pkcs11.config for NSS Soft token (Thunderbird/Firefox):
name=NSS library=softokn3 nssArgs="configdir='/path/to/firefox/profile' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly" slot = 2
Another one for Coolkey (see Coolkey for Debian and United States Department of Defense Common Access Cards):
name=CoolKey library=/usr/cac/lib/pkcs11/libcoolkeypk11.so
Note that spaces in library path may break Sun PKCS11, use C:\Progra~2\ActivIdentity\ActivClient\acpkcs211.dll instead of C:\Program Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll
More details on java PKCS11 setup in Sun PKCS11 guide