Dovecot and Letsencrypt certs

Bill Shirley bill at KnoxvilleChristian.org
Sat Sep 9 22:31:50 EEST 2017 

Oh, also I removed the '2>1> /dev/null' from the acme.sh crontab entry so that
it will always send an email; and entered this in sieve:
# ------- let's encrypt -------
if header :contains "subject" "acme.sh" {
   if body :regex "Error[[:space:]]+renew" {
#    redirect :copy "bill at example.com";
     addflag "$label1";    # Thunderbird red
     stop;
   }
   if body :regex "-----BEGIN CERTIFICATE-----" {
#    redirect :copy "bill at example.com";
     addflag "$label4";    # Thunderbird blue
     stop;
   }
   fileinto "AASystemAdministration.Cron.certificate";
   stop;
}
The redirect :copy I enable for my other servers to forward a copy
to me.

HTH,
BIll


On 9/9/2017 3:16 PM, Bill Shirley wrote:
> If you're using acme.sh:
> acme.sh --installcert -d imap.example.com \
>   --keypath /etc/pki/dovecot/private/imap.example.com.pem \
>   --certpath /etc/pki/dovecot/certs/imap.example.com.crt \
>   --fullchainpath /etc/pki/dovecot/certs/imap.example.com.full.chain.crt \
>   --reloadcmd            "systemctl reload dovecot.service"
>
> HTH,
> Bill
>
> On 9/8/2017 9:56 AM, Darac Marjal wrote:
>> On Fri, Sep 08, 2017 at 06:47:25AM -0600, @lbutlr wrote:
>>> So this morning at 4am I was awoken to my mail clients getting certificate errors for an expired certificate.
>>>
>>> I hopped on to the server and checked and… no, the LE certs renewed last month and are valid until November.
>>>
>>> After some moments of confusion I noticed that dovecot had been running since before the renewal, so I did a quick service 
>>> dovecot restart which fixed everything.
>>>
>>> Should dovecot check for certs being refreshed? Or is this an artifact of my using symbolic links everywhere to point to the 
>>> newest LE certs (which are themselves links the dehydrate script creates to point to the newest cert-1502534746.csr etc files?
>>
>> As you're using dehydrated, I can share what I do. My hook script basically calls "run-parts /etc/dehydrated/hooks.d/" so I 
>> can just drop hook scripts into that directory. Then in the hooks.d directory, I have the following:
>>
>>     #!/bin/bash
>>
>>     set -e
>>     set -u
>>     set -o pipefail
>>
>>     if [[ ${1} == "deploy_cert" && ${2} == "mail.darac.org.uk" ]]; then
>>             echo " + Hook: Restarting Dovecot..."
>>             /usr/sbin/service dovecot restart
>>     fi
>>
>> That means that dovecot will be restarted only if the certificate for the mail server is being deployed. If dehydrated runs, 
>> but fails to renew the certificate, then dovecot won't be restarted. Similarly, if it renews a different certificate, dovecot 
>> won't be restarted.
>>
>> Hope that helps.
>>
>>
>>>
>>> Should I just create a monthly cron to restart dovecot or is there something else?
>>>
>>> -- 
>>> Apple broke AppleScripting signatures in Mail.app, so no random signatures.
>>

More information about the dovecot mailing list