how to setup IMAPs with letsencrypt
hello
I have setup website using letsencrypt for certification. how can I setup IMAP to use this certs as well?
Thank you.
On 22/4/22 7:25 am, alice@coakmail.com wrote:
hello
I have setup website using letsencrypt for certification. how can I setup IMAP to use this certs as well?
Thank you.
Make entries in /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/cert.pem ssl_key = </etc/letsencrypt/live/mail.examplel.com/privkey.pem
in /etc/dovecot/dovecot.conf or in /etc/dovecot/conf.d/10-ssl.conf
put
ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes
You can override the global ssl certificates for specific domains in /etc/dovecot/dovecot.conf
local special.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem
} }
-- Jeremy
On 22/4/22 7:25 am, alice@coakmail.com wrote:
hello
I have setup website using letsencrypt for certification. how can I setup IMAP to use this certs as well?
Thank you.
Make entries in /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/cert.pem ssl_key = </etc/letsencrypt/live/mail.examplel.com/privkey.pem
in /etc/dovecot/dovecot.conf or in /etc/dovecot/conf.d/10-ssl.conf
put
ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes
You can override the global ssl certificates for specific domains in /etc/dovecot/dovecot.conf
Thanks. I will give a try. after enabling SSL, can I disable port 143 entirely?
On 2022-04-22 01:50, Jeremy Ardley wrote:
On 22/4/22 7:44 am, alice@coakmail.com wrote:
On 22/4/22 7:25 am, alice@coakmail.com wrote:
Thanks. I will give a try. after enabling SSL, can I disable port 143 entirely?
Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993
keeping footprint of servers minimal risk is not a bad idea
On 22/4/22 7:50 am, Jeremy Ardley wrote:
On 22/4/22 7:44 am, alice@coakmail.com wrote:
On 22/4/22 7:25 am,alice@coakmail.com wrote:
Thanks. I will give a try. after enabling SSL, can I disable port 143 entirely?
Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993
I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to specify imaps. Dovecot automatically listens on port 993 and 143 when ssl is specified and applies the ssl directive as indicated.
#global
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pe
protocols = imap lmtp sieve
#specific domain override
local mail.example.com { protocol imap {
ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem } }
It is possible to generate a wildcard letsencrypt certificate *.example.com but the process is tricky and has unexpected side-effects such as typo.example.com resolves to example.com in DNS
-- Jeremy
On 22/4/22 8:24 am, Jeremy Ardley wrote:
local mail.example.com { protocol imap {
ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem } }
My error. The correct example domain override stanza is
#specific domain override
local special.example.com { protocol imap {
ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem } }
-- Jeremy
Le 22 avr. 2022 à 01:50, Jeremy Ardley <jeremy@ardley.org> a écrit :
On 22/4/22 7:44 am, alice@coakmail.com <mailto:alice@coakmail.com> wrote:
On 22/4/22 7:25 am, alice@coakmail.com <mailto:alice@coakmail.com> wrote:
Thanks. I will give a try. after enabling SSL, can I disable port 143 entirely?
Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993
While it's true for SMTP, my experience is that IMAP clients prefer imaps in 993 instead of STARTTLS.
I have a server with only port 993 opened, and almost never had any issue with client configuration.
On 4/22/22 02:20, Jean-Daniel Dupas wrote:
While it's true for SMTP, my experience is that IMAP clients prefer imaps in 993 instead of STARTTLS.
I have a server with only port 993 opened, and almost never had any issue with client configuration.
I have noticed the opposite. Every time I have configured a new mail client (which is most often but not always Thunderbird), it defaults to 143 with STARTTLS. Port 993 is available too, but my mail clients have never used it unless I explicitly configure it.
My dovecot is configured with "disable_plaintext_auth = yes" so only source IPs that are local to the machine (so the traffic never goes out on any network) are allowed to login without TLS. My webmail uses localhost so it is configured to use port 143 without encryption.
I know a lot of people are going to clamor that such traffic should be encrypted because it could be sniffed ... but if somebody has enough access such that they could sniff my backend services, the security battle is already lost, and they would be able to get any in-flight passwords even if the connection is encrypted.
Thanks, Shawn
I have setup website using letsencrypt for certification. how can I setup IMAP to use this certs as well?
Make entries in /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/cert.pem ssl_key = </etc/letsencrypt/live/mail.examplel.com/privkey.pem
Keep in mind the subject name (CN or SAN AltNames) of your certificate must match your IMAP server name e.g. if your certificate is made for "www.mydomain.com", you'll have to configure your IMAP clients to also use "www.mydomain.com" as the IMAP server name.
This typically means the web and IMAP server must reside on the same server, otherwise you'll have to use DNS challenge method to support multiple hostnames on the same certificate.
Joseph Tam <jtam.home@gmail.com>
On 22/04/22 11:57, Joseph Tam wrote:
Keep in mind the subject name (CN or SAN AltNames) of your certificate must match your IMAP server name e.g. if your certificate is made for "www.mydomain.com", you'll have to configure your IMAP clients to also use "www.mydomain.com" as the IMAP server name.
This typically means the web and IMAP server must reside on the same server, otherwise you'll have to use DNS challenge method to support multiple hostnames on the same certificate.
_A_ web server has to be there. It doesn't have to serve anything else useful. My mail server has a web server that only serves the LE challenge. Well, actually it's a proxy server that serves several other domains too, but there's nothing else served on that domain (at the moment).
Cheers, Richard
Richard Hector wrote:
otherwise you'll have to use DNS challenge method to support multiple hostnames on the same certificate.
do you know how to implement this?
the original certificates were issued for domain: sample.com. But this certs can be used for any.sample.com too?
Thanks
On 24/4/22 9:14 am, ミユナ (alice) wrote:
Richard Hector wrote:
otherwise you'll have to use DNS challenge method to support multiple hostnames on the same certificate.
do you know how to implement this?
the original certificates were issued for domain: sample.com. But this certs can be used for any.sample.com too?
There is a procedure for wildcards but it's a little complex. It helps to have your own bind server.
For a start:
https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt...
-- Jeremy
On 24/4/22 9:22 am, Jeremy Ardley wrote:
For a start:
https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt...
This may be more helpful https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets...
-- Jeremy
thank you Jeremy. I will check out them.
Jeremy Ardley wrote:
https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt...
This may be more helpful https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets...
On Sun, 24 Apr 2022, ??? (alice) wrote:
[Actually, I wrote]
otherwise you'll have to use DNS challenge method to support multiple hostnames on the same certificate.
do you know how to implement this?
Others have pointed out resources, but at a very basic level, you'll need a scriptable way to add TXT records for your domain. Plenty of ACMEbots supply plugins for various cloud provider APIs, but if you're running your own DNS server like I am, you may have roll your own plugin.
If you don't have this level of control over your DNS zone, you'll have to bodge it with HTTP challenge and a stub web servers.
the original certificates were issued for domain: sample.com. But this certs can be used for any.sample.com too?
For wildcarded certs (valid for *.sample.com), your only recourse is use DNS challenges.
Joseph Tam <jtam.home@gmail.com>
On 4/23/2022 6:45 PM, Richard Hector wrote:
_A_ web server has to be there. It doesn't have to serve anything else useful. My mail server has a web server that only serves the LE challenge. Well, actually it's a proxy server that serves several other domains too, but there's nothing else served on that domain (at the moment).
I didn't want to mess with creating a web infrastructure for the usual web-based validation that is common with LE. Getting that working for my services would be very messy. So I use DNS validation with LetsEncrypt, and I have wildcards in my cert. You can see the cert at this location:
https://http3test.elyograg.org/
Reload the page to see if your browser can do http/3 -- the initial connection will usually be http/2.
Certbot has plugins for many common DNS providers that let it automatically add the validation records to your DNS. I use a DNS provider which is not covered by the official plugins, but I found a third party hook script on github, so I have built scripts that accomplish completely automated certificate renewals with DNS validation. I run the renew script with cron every other day, and have it waiting until 5 days before expiration before it actually does the renewal. So I get a new cert about every 85 days, and it even installs the cert and restarts services on everything that needs it.
Thanks, Shawn
On 24.04.22 02:45, Richard Hector wrote:
On 22/04/22 11:57, Joseph Tam wrote:
Keep in mind the subject name (CN or SAN AltNames) of your certificate must match your IMAP server name e.g. if your certificate is made for "www.mydomain.com", you'll have to configure your IMAP clients to also use "www.mydomain.com" as the IMAP server name.
This typically means the web and IMAP server must reside on the same server, otherwise you'll have to use DNS challenge method to support multiple hostnames on the same certificate.
_A_ web server has to be there. It doesn't have to serve anything else useful. My mail server has a web server that only serves the LE challenge. Well, actually it's a proxy server that serves several other domains too, but there's nothing else served on that domain (at the moment).
if it wasn't already mentioned in this thread:
acme.sh (https://github.com/acmesh-official/acme.sh) has a builtin standalone webserver which can be used in such cases, there's no need for an additional web server. And Certbot has this functionality too.
acme.sh is a very simple and stable solution - it's just a shell script, no dependencies. I'm using it on a number of servers (together with Apache/Nginx or with the builtin standalone mode on mail gateways) without any problem.
Regards, Markus
I'm using this dedicated address because personal addresses aren't masked enough at this mail public archive. Public archive administrator should fix this against automated addresses collectors. El 22/4/22 a les 1:40, Jeremy Ardley ha escrit:
On 22/4/22 7:25 am, alice@coakmail.com wrote:
hello
I have setup website using letsencrypt for certification. how can I setup IMAP to use this certs as well?
Thank you.
Make entries in /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.com/cert.pem ssl_key = </etc/letsencrypt/live/mail.examplel.com/privkey.pem
in /etc/dovecot/dovecot.conf or in /etc/dovecot/conf.d/10-ssl.conf
put
ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes
You can override the global ssl certificates for specific domains in /etc/dovecot/dovecot.conf
local special.example.com { protocol imap { ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem
} }
- You should sure "dovecot" service account has read access to /etc/letsencrypt/live/special.example.com/privkey.pem p.e. by adding account to a common group with LE files.
participants (10)
-
alice@coakmail.com
-
Benny Pedersen
-
Jean-Daniel Dupas
-
Jeremy Ardley
-
Joseph Tam
-
Markus Winkler
-
Narcis Garcia
-
Richard Hector
-
Shawn Heisey
-
ミユナ (alice)