Installing a Let's Encrypt certificate for your qmail and dovecot servers

March 21, 2018 Roberto Puzzanghera4 comments

More info:

Here is how to install and configure a valid certificate from Let's Encrypt for your qmail and dovecot servers. The installation will be done by certbot.

Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Installing certbot

It needs tons of prerequisites and a python >= 2.7, but there must be a package for your distribution that will do everything for you. Slackware users should refer to the slackbuild from SBO here (if you don't want to bother to manually install all the dependencies, sbotools is your friend).

Installing the certificate

The certificate will be provided once you prove to be the owner of the matched domain(s). So certbot has to install an ACME challenge in a directory of your choice and then retrieve it via http. If the challenge is successfull the certificate will be installed in /etc/letsencrypt.

Create the "webroot" dir where the ACME challenge will be stored:

mkdir -p /path/to/webroot

Now set up an apache virtual domain:

<VirtualHost *:80>
 ServerName yourdomain.tld

 DocumentRoot /path/to/webroot
 <Directory /path/to/webroot>
   Require all granted
 </Directory>
</VirtualHost>

Prepare a script to install your certs via certbot as /usr/local/bin/my-cert.sh

#!/bin/sh
#

CERTBOT=/usr/bin/certbot
DOMAIN=yourdomain.tld

$CERTBOT certonly \
 --webroot \
 --webroot-path /path/to/webroot \
 --preferred-challenges http-01 \
 -d ${DOMAIN} \
 --email youremail@${DOMAIN} \
 --renew-by-default \
 --agree-tos \
 --text

# qmail cert
if [ ! -d "/var/qmail/control/certs_backup" ]; then
 mkdir -p /var/qmail/control/certs_backup
fi
cp -p /var/qmail/control/*.pem /var/qmail/control/certs_backup/
cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /var/qmail/control/servercert.pem
/usr/local/bin/qmailctl restart

# dovecot cert (you have to set the path inside 10-ssl.conf accordingly)
/usr/local/bin/dovecotctl restart

The first domain in the list will be used as the certificate's name. To better understand what certbot can do:

certbot --help all

Remember to set the x flag:

chmod +x /usr/local/bin/my-cert.sh

Then try to run it and hopefully you'll get the certificate with no errors.

Finally set up a cronjob that renew the cert once a month (the certificate remains valid for three months):

15 2 20 * * /usr/local/bin/my_certbot.sh >> /var/log/cron

Configuring qmail and dovecot

As far as qmail is concerned the private key and the fullchain must be merged into a single file /var/qmail/control/servercert.pem.

Concerning dovecot, you just have to adjust your /usr/local/dovecot/etc/dovecot/conf.d/10-ssl.conf file as follows:

#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_key = </etc/ssl/private/dovecot.pem
ssl_cert = </etc/letsencrypt/live/yourdomain.tld/fullchain.pem
ssl_key = </etc/letsencrypt/live/yourdomain.tld/privkey.pem

Comments

Let's Encrpyt

Roberto,

Isn't 'DOMAIN=smtp.yourdomain.tld' in the above script (/usr/local/bin/my-cert.sh) supposed to be 'DOMAIN=yourdomain.tld'

Eric

Reply | Permalink

Let's Encrpyt

Hi Eric,

it is the domain name that you use to connect to your server.. in my example I'm imaging that there are different servers for smtp imap and so on

Reply | Permalink

Reason 3 aliases needed

Hi! Usefull post about using the LE certificate for qmail. 

I was wondering: is there a specific reason you stated  the aliases: smtp, pop3, imap?

IMHO, if it is 1 host, could you not (better) use 1 alias, for example mail.mydomain.mynet ?

regards, Bart

Reply | Permalink

Reason 3 aliases needed

Hi! Because I'm not excluding that the three could live in three speparated (virtual) servers

Reply | Permalink