how to setup IMAPs with letsencrypt

Jeremy Ardley jeremy at ardley.org
Fri Apr 22 00:24:03 UTC 2022


On 22/4/22 7:50 am, Jeremy Ardley wrote:
> On 22/4/22 7:44 am, alice at coakmail.com wrote:
>>> On 22/4/22 7:25 am,alice at coakmail.com  wrote:
>>>
>> Thanks. I will give a try.
>> after enabling SSL, can I disable port 143 entirely?
>>
> Probably a bad idea. Many clients use STARTTTLS on port 143 rather 
> than TLS on port 993
>
>

I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to 
specify imaps.
Dovecot automatically listens on port 993 and 143 when ssl is specified 
and applies the ssl directive as indicated.

#global

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>

ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pe

protocols = imap lmtp sieve

#specific domain override

local mail.example.com {
   protocol imap {

      ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem
   }
}

It is possible to generate a wildcard letsencrypt certificate 
*.example.com but the process is tricky and has unexpected side-effects 
such as typo.example.com resolves to example.com in DNS

-- 
Jeremy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220422/00f5da09/attachment.sig>


More information about the dovecot mailing list