Thanks Nikolai,
So far, I have concluded that the Dovecot distribution seems to be ready to be deployed with essentially no modification of configuration files.
I am using CentOS 7 and sendmail.
Raymond
On 11/10/2020 1:58 AM, Nikolai Lusan wrote:
On Tue, 2020-11-10 at 00:26 -0600, Raymond Herrera wrote:
Good. I am going to focus on the IMAP configuration and worry about SMTP later.
Yeah, also the postfix list is probably more useful for the SMTP stuff, although having said that the two products integrate seemlessly.
The following is the relevant documentation. This is very straightforward: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/
My file 10-ssl.conf is untouched.
However, this is the part that I would like to better understand:
https://doc.dovecot.org/admin_manual/ssl/certificate_creation/
Before creating my own certificate (which I have done in the past for my old server), I am curious. Is there anything wrong with the one that comes with the distribution?
The certificate which comes with either dovecot, or your distribution (in Debian it's "/etc/ssl/certs/ssl-cert-snakeoil.pem") is a self signed certificate, which most clients will force you to accept (permanently, or temporarily). Personally I am using Lets Encrypt ( https://letsencrypt.org/) wildcard certificates (since I am not just using them for email purposes), and I have scripts that restart the relevant services when the certificates get updated (LE cert are only valid for 90 days, and can be renewed at 60 days). Look into LE and the tools available for Linux, pick the one that works for you, I use acme.sh which I find easier to script around.
ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem ssl_key = < /etc/pki/dovecot/private/dovecot.pem
So this is a public/private key pair. Just like for ssh, gpg, or many other cryptography related tools. The ssl_cert line is the public certificate, and the ssl_key line is the key used to create the sign the initial certificate request (the CRL is later signed by an issuer, in the case of the snakeoil certs this is seperate private key).