Recommended Protocols?

Nikolai Lusan nikolai at lusan.id.au
Tue Nov 10 09:58:48 EET 2020 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Tue, 2020-11-10 at 00:26 -0600, Raymond Herrera wrote:
> Good. I am going to focus on the IMAP configuration and worry about
> SMTP 
> later.

Yeah, also the postfix list is probably more useful for the SMTP stuff,
although having said that the two products integrate seemlessly.

> The following is the relevant documentation.
> This is very straightforward:
> https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/
> 
> My file 10-ssl.conf is untouched.
> 
> However, this is the part that I would like to better understand:
> 
> https://doc.dovecot.org/admin_manual/ssl/certificate_creation/
> 
> Before creating my own certificate (which I have done in the past for
> my 
> old server), I am curious. Is there anything wrong with the one that 
> comes with the distribution?

The certificate which comes with either dovecot, or your distribution
(in Debian it's "/etc/ssl/certs/ssl-cert-snakeoil.pem") is a self
signed certificate, which most clients will force you to accept
(permanently, or temporarily). Personally I am using Lets Encrypt (
https://letsencrypt.org/) wildcard certificates (since I am not just
using them for email purposes), and I have scripts that restart the
relevant services when the certificates get updated (LE cert are only
valid for 90 days, and can be renewed at 60 days). Look into LE and the
tools available for Linux, pick the one that works for you, I use
acme.sh which I find easier to script around.

> ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem
> ssl_key = < /etc/pki/dovecot/private/dovecot.pem

So this is a public/private key pair. Just like for ssh, gpg, or many
other cryptography related tools. The ssl_cert line is the public
certificate, and the ssl_key line is the key used to create the sign
the initial certificate request (the CRL is later signed by an issuer,
in the case of the snakeoil certs this is seperate private key). 

There are a bunch more things worth tweaking in the ssl.conf file
though :)

- -- 
Nikolai Lusan <nikolai at lusan.id.au>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl+qSDgACgkQ4ZaDRV2V
L6T50g/8C04Q4w6jwdId3+97Q+a/hRo1nqDA1Eq206c1z+Fp+Q1gE9YLMOCLkDql
DxqXRFjDWgb1+TTtkr3SW1ZC2kcDAa+kKyQvBscCTPI6+FnLSiypTCP8OMZl047C
fmUjGBDJyVtIuI99r3Bq4mZ4AEsEkhnktptEHicoEBQuTLFx9nDezws5ZsVjjmAX
+OqjU+hdnrNMrcob9zwhdV9xY5dklYXg/g3RPivkg9ddKLE31QW4RVO1RuN0G/Qd
xZlz3NEd/TO6PnouL010/HBIFUdrg/6fm9SZoVLgZqlqtoe2Af1G1RO2rtK2lWZY
RPY3wgeBY9iluxXtPkSK9e4C746rRwhD/ccNmJyIhnhEEbZYCTziBSvb2Etq+4ky
TMNPi0rsDu2FAQGfc6aXFDJMv3tsMSTZMUlOe05eHHc7y7J4AaeYq0n0nRwJnL40
aeyiQDgkeW6G9EYX3zBDRY98AnE11Ydpc/mNbf5VJBscysVEGHOKONl1Pomclu/f
k8w9QL6SKPIhTpsGtQ3SvJvmyhnnwueUwCJWY0vpS4Gq71CAMks1RRJWNukQvPiX
D1dEkkHTiXZNhmWjLvLXX0oQ/fL9sayxkG4MrwXbJCS1sAKqhVwaGdsf3Fxn2fV5
7olrMyPYhjT2Qn1dU8V7FN4cRMHknWqxwLaEo/03M6Cs4l6wvFo=
=D7tQ
-----END PGP SIGNATURE-----

More information about the dovecot mailing list