Installing a Let's Encrypt certificate for your qmail and dovecot servers
May 18, 2023 Roberto Puzzanghera 20 comments
More info:
Here is how to install and configure a valid certificate from Let's Encrypt for your qmail and dovecot servers. The installation will be done by certbot.
Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
Changelog
- May 18, 2023
added the option--key-type rsato thecertbotcommand, to avoid thatcertbotwill silently default toECDSAthe private key format, which results not understandable by myopenssl-1.1. In this way the format of the private key will beRSA. More info here.
Installing certbot
It needs tons of prerequisites and a python v. 3, but there must be a package for your distribution that will do everything for you. Slackware users should refer to the slackbuild from SBO here (if you don't want to bother to manually install all the dependencies, sbotools is your friend).
Installing the certificate
The certificate will be provided once you prove to be the owner of the matched domain(s). So certbot has to install an ACME challenge in a directory of your choice and then retrieve it via http. If the challenge is successfull the certificate will be installed in /etc/letsencrypt.
Create the "webroot" dir where the ACME challenge will be stored:
mkdir -p /path/to/webroot
Now set up an apache virtual domain. In this example yourdomain.tld is the domain where you are going to do both the smtp and the imap/pop3 connection:
<VirtualHost *:80> ServerName yourdomain.tld DocumentRoot /path/to/webroot <Directory /path/to/webroot> Require all granted </Directory> </VirtualHost>
Prepare a script to install your certs via certbot as /usr/local/bin/my_certbot.sh:
#!/bin/sh
#
CERTBOT=/usr/bin/certbot
DOMAIN=yourdomain.tld
$CERTBOT certonly \
--webroot \
--webroot-path /path/to/webroot \
--preferred-challenges http-01 \
--key-type rsa \
-d ${DOMAIN} \
--email youremail@${DOMAIN} \
--renew-by-default \
--agree-tos \
--text
# qmail cert
if [ ! -d "/var/qmail/control/certs_backup" ]; then
mkdir -p /var/qmail/control/certs_backup
fi
cp -p /var/qmail/control/*.pem /var/qmail/control/certs_backup/
cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /var/qmail/control/servercert.pem
chown vpopmail:vchkpw /var/qmail/control/*.pem
chmod o-r /var/qmail/control/*.pem
/usr/local/bin/qmailctl restart
# dovecot cert (you have to set the path inside 10-ssl.conf accordingly)
/usr/local/bin/dovecotctl restart
yourdomain.tld will be used as the certificate's name. To better understand what certbot can do:
certbot --help all
Remember to set the x flag:
chmod +x /usr/local/bin/my_certbot.sh
Now try to run it and hopefully you'll get the certificate with no errors.
Finally set up a cronjob that renew the cert once a month (the certificate remains valid for three months):
15 2 20 * * /usr/local/bin/my_certbot.sh >> /var/log/cron
Remember to disable the old update_tmprsadh crontab line.
Configuring qmail and dovecot
As far as qmail is concerned the private key and the fullchain must be merged into a single file /var/qmail/control/servercert.pem. This is done by the above script itself.
Concerning dovecot, you just have to adjust your /usr/local/dovecot/etc/dovecot/conf.d/10-ssl.conf file as follows:
#ssl_cert = </etc/ssl/certs/dovecot.pem #ssl_key = </etc/ssl/private/dovecot.pem ssl_cert = </etc/letsencrypt/live/yourdomain.tld/fullchain.pem ssl_key = </etc/letsencrypt/live/yourdomain.tld/privkey.pem
Restart qmail and dovecot to enable the new certificate.
qmail notes
Pay me a coffee:
LXC scripts
Other contents
Recent comments
qq_temporary_problem_(#4.3.0)
June 2, 2023 06:32
qq_temporary_problem_(#4.3.0)
June 1, 2023 21:18
qq_temporary_problem_(#4.3.0)
May 31, 2023 18:22
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:42
qq_temporary_problem_(#4.3.0)
May 31, 2023 14:33
Thank you! for all the documentation, patches and support
May 26, 2023 08:42
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 15:25
free(): double free detected in tcache 2: /var/www/qmail/cgi-bin/qmailadmin
May 17, 2023 07:46
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
multiple domain certificates
Ivelin Topalov July 21, 2021 23:13
i have a few domains in same machine served by qmail
the script for letsencrypt 1 domain cert for qmail combines priv key and fullchain in servercert
as i having few - how to make 1 servercert for all domains - just cat all one after another like ke1 chain1 ke2 chain2 ... ?
cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /var/qmail/control/servercert.pemReply | Permalink
multiple domain certificates
Roberto Puzzanghera Ivelin Topalov July 22, 2021 07:31
I'm not sure that merging the domains' certificates will work.
I suggest to create a cumulative certificate (which is valid for all your domains) like this
this will work for sure
Reply | Permalink
update_tmprsadh - Termporary certificates
Marco Varanda June 1, 2021 22:05
Hello Roberto,
Your site is great !
When I was setting up my server, I used update_tmprsadh (crontab) and its PEM, but when I create Let's Encrypt REAL certificate, I changed dovecot, site (apache, webmail) .. .everythink is OK. (I prefer DNS Challenge - djbdns)
But .... Crontab and update_tmprsadh continue running.
Maybe, you can include in this page, after you successful with Certbot (Let's Encrypt), disable crontab line, and delete the files (correcting dovecot /etc/dovecot/conf.d/10-ssl.conf) restart, etc
Thanks again
Varanda
Reply | Permalink
update_tmprsadh - Termporary certificates
Roberto Puzzanghera Marco Varanda June 2, 2021 10:08
Thanks for the hint.. I'll do it as soon as possible
Reply | Permalink
cosmetic error
Marco Varanda April 23, 2020 01:52
Crontab script refers to my_certbot.sh
but we created my_cert.sh script
Reply | Permalink
cosmetic error
Roberto Puzzanghera Marco Varanda April 23, 2020 08:43
Corrected. Thank you
Reply | Permalink
Certbot Error....
Elcio Bortolin October 19, 2018 14:44
I'm trying to use certbot. I installed all dependencies. But an error occurs with zope.interface.
Can you help me?
Reply | Permalink
Certbot Error....
Roberto Puzzanghera Elcio Bortolin October 19, 2018 19:03
it seems like zope.interface is not installed... try "pip install zope.interface"
Reply | Permalink
sacha August 30, 2018 18:59
Hi, I got Apache & qmail (netqmail-1.06) server on 1 ip, 7 domain name managed by SNI, and using for a while letsencrypt for https.
I would like to set up qmail with certificate from Let's Encrypt
I hope you could help me to configure it, as you seems the qmail master.
About qmail, using netqmail-1.06 do I have to patch anything as netqmail-1.06-tls+auth-20151215_20160609.patch or large-dns-response.patch?
As i already got 1 cert by domain for Apache, could I reuse it for qmail?
In this case, should copy .pem file in /control/ as:
Otherwise, how could I specify each .pem file for each Domain?
Best
Reply | Permalink
Roberto Puzzanghera sacha August 30, 2018 19:19
Hi, no patch is needed for qmail. You can use one single cert for all your domain, provided you create your cert with
Be aware that the new letsencrypt provides wildcards to allow subdomains, but a TXT record in your DNS is required.
And no, you can't use your apache's cert, as far as I know.
Reply | Permalink
sacha Roberto Puzzanghera August 30, 2018 20:53
Thanks a lot Roberto for you answer.
Well note about the TXT record
I guess it must be something as:
acme-challenge.mydomain1.com. IN TXT "yB_EQ-w[…]E"
acme-challenge.www.mydomain1.com. IN TXT "yB_EQ-w[…]E"
About cert, if I understood what you said.
I have to create a new certificate only for Qmail, with -d parameter with all domain.
Reply | Permalink
Roberto Puzzanghera sacha August 30, 2018 21:31
Yes to both questions
Reply | Permalink
sacha Roberto Puzzanghera August 31, 2018 07:35
Thanks
Sorry to insist, but if qmail doesn't need any patch to run tls.
For what netqmail-1.06-tls+auth-20151215_20160609.patch is use for?
Reply | Permalink
Roberto Puzzanghera sacha August 31, 2018 15:35
Sorry I thought at first reading that you were asking if modifications were needed to that patch. Of course you need qmail to be patched for tls, so the only patch that makes sense if you want to test letsencrypt certificates is qmail-tls
Reply | Permalink
sacha Roberto Puzzanghera September 1, 2018 14:50
Hi roberto.
No problem, that's my fault.
As I'm french and english isn't my mother tongue I guess my question wasn't clear.
So to get tls on my qmail, I need to patch netqmail with:
Qmail-tls
http://inoa.net/qmail-tls/netqmail-1.06-tls-20160918.patch
or
your patch including smtp-auth + qmail-tls + forcetls
https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest
or you combined patch
https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz
Is that right?
Reply | Permalink
Roberto Puzzanghera sacha September 1, 2018 15:20
yes, of course one reason to use TLS is securing the auth, that's the reason why I made a package with auth and tls patches together. My big patch includes both.
Reply | Permalink
Let's Encrpyt
Eric June 18, 2018 17:58
Roberto,
Isn't 'DOMAIN=smtp.yourdomain.tld' in the above script (/usr/local/bin/my-cert.sh) supposed to be 'DOMAIN=yourdomain.tld'
Eric
Reply | Permalink
Let's Encrpyt
Roberto Puzzanghera Eric June 18, 2018 21:46
Hi Eric,
it is the domain name that you use to connect to your server.. in my example I'm imaging that there are different servers for smtp imap and so on
Reply | Permalink
Reason 3 aliases needed
Bart Koppers March 25, 2018 13:22
Hi! Usefull post about using the LE certificate for qmail.
I was wondering: is there a specific reason you stated the aliases: smtp, pop3, imap?
IMHO, if it is 1 host, could you not (better) use 1 alias, for example mail.mydomain.mynet ?
regards, Bart
Reply | Permalink
Reason 3 aliases needed
Roberto Puzzanghera Bart Koppers March 25, 2018 13:33
Hi! Because I'm not excluding that the three could live in three separated (virtual) servers
Reply | Permalink