Installing a Let's Encrypt certificate for your qmail and dovecot servers

March 21, 2018 Roberto Puzzanghera14 comments

More info:

Here is how to install and configure a valid certificate from Let's Encrypt for your qmail and dovecot servers. The installation will be done by certbot.

Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Installing certbot

It needs tons of prerequisites and a python >= 2.7, but there must be a package for your distribution that will do everything for you. Slackware users should refer to the slackbuild from SBO here (if you don't want to bother to manually install all the dependencies, sbotools is your friend).

Installing the certificate

The certificate will be provided once you prove to be the owner of the matched domain(s). So certbot has to install an ACME challenge in a directory of your choice and then retrieve it via http. If the challenge is successfull the certificate will be installed in /etc/letsencrypt.

Create the "webroot" dir where the ACME challenge will be stored:

mkdir -p /path/to/webroot

Now set up an apache virtual domain:

<VirtualHost *:80>
 ServerName yourdomain.tld

 DocumentRoot /path/to/webroot
 <Directory /path/to/webroot>
   Require all granted
 </Directory>
</VirtualHost>

Prepare a script to install your certs via certbot as /usr/local/bin/my-cert.sh

#!/bin/sh
#

CERTBOT=/usr/bin/certbot
DOMAIN=yourdomain.tld

$CERTBOT certonly \
 --webroot \
 --webroot-path /path/to/webroot \
 --preferred-challenges http-01 \
 -d ${DOMAIN} \
 --email youremail@${DOMAIN} \
 --renew-by-default \
 --agree-tos \
 --text

# qmail cert
if [ ! -d "/var/qmail/control/certs_backup" ]; then
 mkdir -p /var/qmail/control/certs_backup
fi
cp -p /var/qmail/control/*.pem /var/qmail/control/certs_backup/
cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /var/qmail/control/servercert.pem
/usr/local/bin/qmailctl restart

# dovecot cert (you have to set the path inside 10-ssl.conf accordingly)
/usr/local/bin/dovecotctl restart

The first domain in the list will be used as the certificate's name. To better understand what certbot can do:

certbot --help all

Remember to set the x flag:

chmod +x /usr/local/bin/my-cert.sh

Then try to run it and hopefully you'll get the certificate with no errors.

Finally set up a cronjob that renew the cert once a month (the certificate remains valid for three months):

15 2 20 * * /usr/local/bin/my_certbot.sh >> /var/log/cron

Configuring qmail and dovecot

As far as qmail is concerned the private key and the fullchain must be merged into a single file /var/qmail/control/servercert.pem. This is done by the above script itself.

Concerning dovecot, you just have to adjust your /usr/local/dovecot/etc/dovecot/conf.d/10-ssl.conf file as follows:

#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_key = </etc/ssl/private/dovecot.pem
ssl_cert = </etc/letsencrypt/live/yourdomain.tld/fullchain.pem
ssl_key = </etc/letsencrypt/live/yourdomain.tld/privkey.pem

Comments

Certbot Error....

I'm trying to use certbot. I installed all dependencies. But an error occurs with zope.interface.

Traceback (most recent call last):
  File "/ usr / bin / certbot", line 5, in
    from pkg_resources import load_entry_point
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 2927, in
    @_call_aside
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 2913, in _call_aside
    f (* args, ** kwargs)
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 2940, in _initialize_master_working_set
    working_set = WorkingSet._build_master ()
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 635, in _build_master
    ws.require (__ requires__)
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 943, in require
    needed = self.resolve (parse_requirements (requirements))
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 829, in resolves
    raise DistributionNotFound (req, requirers)
pkg_resources.DistributionNotFound: The 'zope.interface' distribution was not found and required by certbot

Can you help me?

Reply | Permalink

Certbot Error....

it seems like zope.interface is not installed... try "pip install zope.interface"

Reply | Permalink

Hi, I got  Apache & qmail (netqmail-1.06) server on 1 ip, 7 domain name managed by SNI, and using for a while letsencrypt for https.

I would like to set up qmail with certificate from Let's Encrypt

I hope you could help me to configure it, as you seems the qmail master.

About qmail, using netqmail-1.06 do I have to patch anything as netqmail-1.06-tls+auth-20151215_20160609.patch or large-dns-response.patch?

As i already got 1 cert by domain for Apache, could I reuse it for qmail?

In this case, should copy .pem file in /control/ as:

/var/qmail/control/domain1.com.pem
/var/qmail/control/domain2.com.pem
/var/qmail/control/domain3.com.pem

Otherwise, how could I specify each .pem file for each Domain?

Best

Reply | Permalink

Hi, no patch is needed for qmail. You can use one single cert for all your domain, provided you create your cert with

-d domain1.tld -d domain2.tld -d domain3.tld etc.

Be aware that the new letsencrypt provides wildcards to allow subdomains, but a TXT record in your DNS is required.

And no, you can't use your apache's cert, as far as I know.

Reply | Permalink

Thanks a lot Roberto for you answer.

Well note about the TXT record

I guess it must be something as:

acme-challenge.mydomain1.com. IN TXT "yB_EQ-w[…]E"
acme-challenge.www.mydomain1.com. IN TXT "yB_EQ-w[…]E"

About cert, if I understood what you said.

I have to create a new certificate only for Qmail, with -d parameter with all domain.

Reply | Permalink

Yes to both questions

Reply | Permalink

Thanks

Sorry to insist, but if qmail doesn't need any patch to run tls.

For what netqmail-1.06-tls+auth-20151215_20160609.patch is use for?

Reply | Permalink

Sorry I thought at first reading that you were asking if modifications were needed to that patch. Of course you need qmail to be patched for tls, so the only patch that makes sense if you want to test letsencrypt certificates is qmail-tls

Reply | Permalink

Hi roberto.

No problem, that's my fault.

As I'm french and english isn't my mother tongue I guess my question wasn't clear.

So to get tls on my qmail, I need to patch netqmail with:

Qmail-tls

http://inoa.net/qmail-tls/netqmail-1.06-tls-20160918.patch

or

your patch including smtp-auth + qmail-tls + forcetls

https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest

or you combined patch

https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz

Is that right?

Reply | Permalink

yes, of course one reason to use TLS is securing the auth, that's the reason why I made a package with auth and tls patches together. My big patch includes both.

Reply | Permalink

Let's Encrpyt

Roberto,

Isn't 'DOMAIN=smtp.yourdomain.tld' in the above script (/usr/local/bin/my-cert.sh) supposed to be 'DOMAIN=yourdomain.tld'

Eric

Reply | Permalink

Let's Encrpyt

Hi Eric,

it is the domain name that you use to connect to your server.. in my example I'm imaging that there are different servers for smtp imap and so on

Reply | Permalink

Reason 3 aliases needed

Hi! Usefull post about using the LE certificate for qmail. 

I was wondering: is there a specific reason you stated  the aliases: smtp, pop3, imap?

IMHO, if it is 1 host, could you not (better) use 1 alias, for example mail.mydomain.mynet ?

regards, Bart

Reply | Permalink

Reason 3 aliases needed

Hi! Because I'm not excluding that the three could live in three speparated (virtual) servers

Reply | Permalink