Thanks Nikolai,

So far, I have concluded that the Dovecot distribution seems to be ready to be deployed with essentially no modification of configuration files.

I am using CentOS 7 and sendmail.

Raymond

On 11/10/2020 1:58 AM, Nikolai Lusan wrote:

On Tue, 2020-11-10 at 00:26 -0600, Raymond Herrera wrote:
> Good. I am going to focus on the IMAP configuration and worry about
> SMTP
> later.

Yeah, also the postfix list is probably more useful for the SMTP stuff,
although having said that the two products integrate seemlessly.

> The following is the relevant documentation.
> This is very straightforward:
> https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/

> My file 10-ssl.conf is untouched.

> However, this is the part that I would like to better understand:

> https://doc.dovecot.org/admin_manual/ssl/certificate_creation/

> Before creating my own certificate (which I have done in the past for
> my
> old server), I am curious. Is there anything wrong with the one that
> comes with the distribution?

The certificate which comes with either dovecot, or your distribution
(in Debian it's "/etc/ssl/certs/ssl-cert-snakeoil.pem") is a self
signed certificate, which most clients will force you to accept
(permanently, or temporarily). Personally I am using Lets Encrypt (
https://letsencrypt.org/) wildcard certificates (since I am not just
using them for email purposes), and I have scripts that restart the
relevant services when the certificates get updated (LE cert are only
valid for 90 days, and can be renewed at 60 days). Look into LE and the
tools available for Linux, pick the one that works for you, I use
acme.sh which I find easier to script around.

> ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem
> ssl_key = < /etc/pki/dovecot/private/dovecot.pem

So this is a public/private key pair. Just like for ssh, gpg, or many
other cryptography related tools. The ssl_cert line is the public
certificate, and the ssl_key line is the key used to create the sign
the initial certificate request (the CRL is later signed by an issuer,
in the case of the snakeoil certs this is seperate private key).