-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Tue, 2020-11-10 at 00:26 -0600, Raymond Herrera wrote:
Good. I am going to focus on the IMAP configuration and worry about SMTP later.
Yeah, also the postfix list is probably more useful for the SMTP stuff, although having said that the two products integrate seemlessly.
The following is the relevant documentation. This is very straightforward: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/
My file 10-ssl.conf is untouched.
However, this is the part that I would like to better understand:
https://doc.dovecot.org/admin_manual/ssl/certificate_creation/
Before creating my own certificate (which I have done in the past for my old server), I am curious. Is there anything wrong with the one that comes with the distribution?
The certificate which comes with either dovecot, or your distribution (in Debian it's "/etc/ssl/certs/ssl-cert-snakeoil.pem") is a self signed certificate, which most clients will force you to accept (permanently, or temporarily). Personally I am using Lets Encrypt ( https://letsencrypt.org/) wildcard certificates (since I am not just using them for email purposes), and I have scripts that restart the relevant services when the certificates get updated (LE cert are only valid for 90 days, and can be renewed at 60 days). Look into LE and the tools available for Linux, pick the one that works for you, I use acme.sh which I find easier to script around.
ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem ssl_key = < /etc/pki/dovecot/private/dovecot.pem
So this is a public/private key pair. Just like for ssh, gpg, or many other cryptography related tools. The ssl_cert line is the public certificate, and the ssl_key line is the key used to create the sign the initial certificate request (the CRL is later signed by an issuer, in the case of the snakeoil certs this is seperate private key).
There are a bunch more things worth tweaking in the ssl.conf file though :)
Nikolai Lusan nikolai@lusan.id.au -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl+qSDgACgkQ4ZaDRV2V L6T50g/8C04Q4w6jwdId3+97Q+a/hRo1nqDA1Eq206c1z+Fp+Q1gE9YLMOCLkDql DxqXRFjDWgb1+TTtkr3SW1ZC2kcDAa+kKyQvBscCTPI6+FnLSiypTCP8OMZl047C fmUjGBDJyVtIuI99r3Bq4mZ4AEsEkhnktptEHicoEBQuTLFx9nDezws5ZsVjjmAX +OqjU+hdnrNMrcob9zwhdV9xY5dklYXg/g3RPivkg9ddKLE31QW4RVO1RuN0G/Qd xZlz3NEd/TO6PnouL010/HBIFUdrg/6fm9SZoVLgZqlqtoe2Af1G1RO2rtK2lWZY RPY3wgeBY9iluxXtPkSK9e4C746rRwhD/ccNmJyIhnhEEbZYCTziBSvb2Etq+4ky TMNPi0rsDu2FAQGfc6aXFDJMv3tsMSTZMUlOe05eHHc7y7J4AaeYq0n0nRwJnL40 aeyiQDgkeW6G9EYX3zBDRY98AnE11Ydpc/mNbf5VJBscysVEGHOKONl1Pomclu/f k8w9QL6SKPIhTpsGtQ3SvJvmyhnnwueUwCJWY0vpS4Gq71CAMks1RRJWNukQvPiX D1dEkkHTiXZNhmWjLvLXX0oQ/fL9sayxkG4MrwXbJCS1sAKqhVwaGdsf3Fxn2fV5 7olrMyPYhjT2Qn1dU8V7FN4cRMHknWqxwLaEo/03M6Cs4l6wvFo= =D7tQ -----END PGP SIGNATURE-----