How to setup an SSL Dovecot mail server

Question: How do I setup Dovecot to use IMAPS and POP3S with Postfix certificates?

Answer: Dovecot is a free and open source IMAP and POP3 mail server. It is used for receiving incoming mail and works in conjunction with Postfix, which handles sending and delivery. Dovecot runs on all Linux and Unix-like operating systems and is available in most distribution repositories. Some may even have it installed by default. Follow these simple steps to setup SSL:

Enable POP3S and IMAPS by editing the configuration file /etc/dovecot.conf. If they are enabled, the protocols setting will look like this:

protocols = imaps pop3s

Next you must set PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before dropping root privileges, so keep the key file unreadable by anyone but root (see how create certificate CSR and configure certificates for Postfix):

ssl_cert_file = /etc/postfix/ssl/smtp.theos.in.crt
ssl_key_file = /etc/postfix/ssl/smtp.theos.in.key

If key file is password protected, give the password using ssl_key_password directive:
ssl_key_password = myPassword

Save and close the file. Restart Dovecot server:
# /etc/init.d/dovecot restart

Source: nixCraft

Running an entire website under SSL

Question: I was thinking of making my entire website HTTPS instead of just the shopping cart. Is this a good idea?

Answer: There are both pros and cons to securing an entire site with SSL, but most seem to agree that the cons outweigh the pros. The advantage is that your users know from the beginning that they are working with a secure site. If your website happens to be for a financial institution, this may add to users’ comfort when they are entering login data.

The disadvantages are that a site will mostly like run slower when it has to authenticate encrypted data. The larger your site, the more data it will have to encrypt. Also, if a browser ever has issues with the certificate, a user will be locked out from your site completely or will have to click through unnecessary confirmations. This may prevent them from even getting to a contact form to tell you something is wrong.

Generally speaking, there is simply no need to encrypt general pages of information. Login forms should point to encrypted script URLs, and all shopping cart data, personal information, and financial information should be under HTTPS. If that is all you have (i.e. you only have those private forms on your site and nothing else), then complete HTTPS might be a good idea.

Source: webhostingtalk.com
Photo: Flickr

How to Redirect HTTP to HTTPS

Question: How do I force users to use the SSL version of a folder on my website?

Answer: With e-commerce websites it is very important to make sure your customers have a secure connection to your website. Nothing can be more damaging to a business than to have sensitive user information leaked to would-be attackers and cyber-criminals. While you can always make sure your links point to the SSL version of a particular page, user might still reach the page without the “https” protocol. Using a simple Apache rewrite rule, you can ensure that even if users go to http://www.yoursite.com/billing, they will be redirected to https://www.yoursite.com/billing.

In the directory you want to redirect, create an empty .htaccess file and add the following code:

RewriteEngine on
RewriteRule (.*) https://www.yoursite.com/billing/ [R=301,L]

That is all it takes. Now you will guarantee your users a secure experience whenever they access your site.

Most web users ignore security certificate warnings

How many times have you searched for the perfect site about the new summer action movie and clicked on a link only to be presented with a warning about a certificate. Do you stop and read the warning? Do you investigate the certificate? Would you even know if the certificate could not be trusted? According to a new study, most web users ignore their browser security certificate warnings.

SSL certificates are supposed to provide users with a level of encryption they can trust for secure (HTTPS) sites. But when a window pops up telling a user the certificate is invalid or has a problem, what should the user do? Carnegie Mellon researchers conduct a study of 409 participants to determine just that. Of the 50 percent of Firefox 2 users who even knew they were being given a security warning, 71 percent said they would ignore it.

With Mozilla Firefox 3 makes it more difficult to ignore because users have to add an exception in order to allow access to the site, but the looming questions still remain. How do users know which sites to trust? Unless they are security experts, what safety protocols could they reasonably put in place? Website owners certainly bear the brunt of the responsibility to make sure their certificates are properly signed, and this is especially important for financial institutions. The complete findings of the study will be released August 14.

Source: ZDnet Asia
Photo: Flickr

When you need SSL and when you don't

Most web hosts offer some form of SSL in at least some of their hosting packages. Many users are confused about when it is necessary to have SSL, when it is optional, and when they do not need it at all. SSL stands for Secure Sockets Layer. It is essentially a form of security encryption that protects data being transferred from one point to another. In terms of web sites, SSL is used to display encrypted website pages via the HTTPS protocol.

Many users who run businesses automatically believe that SSL is necessary. The truth is that it is only absolutely necessary if you are collecting sensitive data from your visitors, whether it is credit card numbers, addresses or any other information that visitors would consider private. If you forward your customers to a payment processor without collecting any sensitive information on-site, SSL is probably optional for you. It might make your operation look more professional to have a verified security certificate, but it is not necessary.

Good web hosts offer more than one SSL option. For a full SSL implementation, your website will require its own IP address, and you will have to purchase an SSL certificate from an established SSL authority. If your needs are not that great or you cannot afford that option, some hosts offer Shared SSL, which provides SSL to shared hosting customers (i.e. multiple customers sharing a single IP address). This method will usually suffice for small operations. If none of the above apply to your website, then you most likely do not need SSL at all.

Do I Need a Dedicated IP?

Every site uses an IP address, such as 68.812.23.1. If you use shared hosting, your site runs on the same server as hundreds of other websites, meaning that several sites share one IP address. This helps web hosts conserve the limited number of IPs they have. For a small fee per month, many providers will give you your own IP address, or dedicated IP. This provides no direct performance benefits, but can be useful to have.

SSL requires a dedicated IP, for example. If you run an ecommerce website, a unique IP is an investment to look into.

Some also choose to purchase dedicated IPs for SEO purposes. Google associates each website with an IP address and with several hundred sites hosted on one IP, some are concerned that inappropriate content on one of the sites might negatively impact their website. Google will penalize sites for activities like spamming and phishing, and if someone else on your server is doing these things, there is a risk the penalty might apply to the IP and hurt you, too. Some also speculate that the Google algorithm favors sites on dedicated IPs in search results out-and-out.
Read More >>