On 22/4/22 7:50 am, Jeremy Ardley wrote:
On 22/4/22 7:44 am, alice@coakmail.com wrote:
On 22/4/22 7:25 am,alice@coakmail.com wrote:
Thanks. I will give a try. after enabling SSL, can I disable port 143 entirely?
Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993
I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to specify imaps. Dovecot automatically listens on port 993 and 143 when ssl is specified and applies the ssl directive as indicated.
#global
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pe
protocols = imap lmtp sieve
#specific domain override
local mail.example.com { protocol imap {
ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem } }
It is possible to generate a wildcard letsencrypt certificate *.example.com but the process is tricky and has unexpected side-effects such as typo.example.com resolves to example.com in DNS
-- Jeremy