Installing a Let's Encrypt certificate for your qmail and dovecot servers

May 18, 2023 Roberto Puzzanghera 20 comments

More info:

Here is how to install and configure a valid certificate from Let's Encrypt for your qmail and dovecot servers. The installation will be done by certbot.

Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.

Changelog

  • May 18, 2023
    added the option --key-type rsa to the certbot command, to avoid that certbot will silently default to ECDSA the private key format, which results not understandable by my openssl-1.1. In this way the format of the private key will be RSA. More info here.

Installing certbot

It needs tons of prerequisites and a python v. 3, but there must be a package for your distribution that will do everything for you. Slackware users should refer to the slackbuild from SBO here (if you don't want to bother to manually install all the dependencies, sbotools is your friend).

Installing the certificate

The certificate will be provided once you prove to be the owner of the matched domain(s). So certbot has to install an ACME challenge in a directory of your choice and then retrieve it via http. If the challenge is successfull the certificate will be installed in /etc/letsencrypt.

Create the "webroot" dir where the ACME challenge will be stored:

mkdir -p /path/to/webroot

Now set up an apache virtual domain. In this example yourdomain.tld is the domain where you are going to do both the smtp and the imap/pop3 connection:

<VirtualHost *:80>
 ServerName yourdomain.tld

 DocumentRoot /path/to/webroot
 <Directory /path/to/webroot>
   Require all granted
 </Directory>
</VirtualHost>

Prepare a script to install your certs via certbot as /usr/local/bin/my_certbot.sh

#!/bin/sh
#

CERTBOT=/usr/bin/certbot
DOMAIN=yourdomain.tld

$CERTBOT certonly \
 --webroot \
 --webroot-path /path/to/webroot \
 --preferred-challenges http-01 \
 --key-type rsa \
 -d ${DOMAIN} \
 --email youremail@${DOMAIN} \
 --renew-by-default \
 --agree-tos \
 --text

# qmail cert
if [ ! -d "/var/qmail/control/certs_backup" ]; then
 mkdir -p /var/qmail/control/certs_backup
fi
cp -p /var/qmail/control/*.pem /var/qmail/control/certs_backup/
cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /var/qmail/control/servercert.pem
chown vpopmail:vchkpw /var/qmail/control/*.pem 
chmod o-r /var/qmail/control/*.pem
/usr/local/bin/qmailctl restart

# dovecot cert (you have to set the path inside 10-ssl.conf accordingly)
/usr/local/bin/dovecotctl restart

yourdomain.tld will be used as the certificate's name. To better understand what certbot can do:

certbot --help all

Remember to set the x flag:

chmod +x /usr/local/bin/my_certbot.sh

Now try to run it and hopefully you'll get the certificate with no errors.

Finally set up a cronjob that renew the cert once a month (the certificate remains valid for three months):

15 2 20 * * /usr/local/bin/my_certbot.sh >> /var/log/cron

Remember to disable the old update_tmprsadh crontab line.

Configuring qmail and dovecot

As far as qmail is concerned the private key and the fullchain must be merged into a single file /var/qmail/control/servercert.pem. This is done by the above script itself.

Concerning dovecot, you just have to adjust your /usr/local/dovecot/etc/dovecot/conf.d/10-ssl.conf file as follows:

#ssl_cert = </etc/ssl/certs/dovecot.pem
#ssl_key = </etc/ssl/private/dovecot.pem
ssl_cert = </etc/letsencrypt/live/yourdomain.tld/fullchain.pem
ssl_key = </etc/letsencrypt/live/yourdomain.tld/privkey.pem

Restart qmail and dovecot to enable the new certificate.

Comments

multiple domain certificates

i have a few domains in same machine served by qmail

the script for  letsencrypt 1 domain cert for qmail combines priv key and fullchain in servercert

as i having few - how to make 1 servercert for all domains - just cat all one after another like ke1 chain1 ke2 chain2 ... ?

cat /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/letsencrypt/live/${DOMAIN}/fullchain.pem > /var/qmail/control/servercert.pem

Reply | Permalink

multiple domain certificates

I'm not sure that merging the domains' certificates will work.

I suggest to create a cumulative certificate (which is valid for all your domains) like this

certbot certonly \
--webroot \
--webroot-path /path/to/webroot \
--preferred-challenges http-01 \
-d domain1 -d domain2 -d domain3 ....... \
--email youremail@yourdomain \
--renew-by-default \
--agree-tos \
--text

this will work for sure

Reply | Permalink

update_tmprsadh - Termporary certificates

Hello Roberto,

Your site is great !

When I was setting up my server, I used update_tmprsadh (crontab) and its PEM, but when I create Let's Encrypt REAL certificate, I changed dovecot, site (apache, webmail) .. .everythink is OK. (I prefer DNS Challenge - djbdns)

But .... Crontab and update_tmprsadh continue running.

Maybe, you can include in this page, after you successful with Certbot (Let's Encrypt), disable crontab line, and delete the files (correcting dovecot /etc/dovecot/conf.d/10-ssl.conf) restart, etc

Thanks again

Varanda

Reply | Permalink

update_tmprsadh - Termporary certificates

Thanks for the hint.. I'll do it as soon as possible

Reply | Permalink

cosmetic error

Crontab script refers to my_certbot.sh

15 2 20 * * /usr/local/bin/my_certbot.sh

but we created my_cert.sh script

Reply | Permalink

cosmetic error

Corrected. Thank you

Reply | Permalink

Certbot Error....

I'm trying to use certbot. I installed all dependencies. But an error occurs with zope.interface.

Traceback (most recent call last):
  File "/ usr / bin / certbot", line 5, in
    from pkg_resources import load_entry_point
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 2927, in
    @_call_aside
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 2913, in _call_aside
    f (* args, ** kwargs)
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 2940, in _initialize_master_working_set
    working_set = WorkingSet._build_master ()
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 635, in _build_master
    ws.require (__ requires__)
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 943, in require
    needed = self.resolve (parse_requirements (requirements))
  File "/usr/lib64/python2.7/site-packages/pkg_resources/__init__.py", line 829, in resolves
    raise DistributionNotFound (req, requirers)
pkg_resources.DistributionNotFound: The 'zope.interface' distribution was not found and required by certbot

Can you help me?

Reply | Permalink

Certbot Error....

it seems like zope.interface is not installed... try "pip install zope.interface"

Reply | Permalink

Hi, I got  Apache & qmail (netqmail-1.06) server on 1 ip, 7 domain name managed by SNI, and using for a while letsencrypt for https.

I would like to set up qmail with certificate from Let's Encrypt

I hope you could help me to configure it, as you seems the qmail master.

About qmail, using netqmail-1.06 do I have to patch anything as netqmail-1.06-tls+auth-20151215_20160609.patch or large-dns-response.patch?

As i already got 1 cert by domain for Apache, could I reuse it for qmail?

In this case, should copy .pem file in /control/ as:

/var/qmail/control/domain1.com.pem
/var/qmail/control/domain2.com.pem
/var/qmail/control/domain3.com.pem

Otherwise, how could I specify each .pem file for each Domain?

Best

Reply | Permalink

Hi, no patch is needed for qmail. You can use one single cert for all your domain, provided you create your cert with

-d domain1.tld -d domain2.tld -d domain3.tld etc.

Be aware that the new letsencrypt provides wildcards to allow subdomains, but a TXT record in your DNS is required.

And no, you can't use your apache's cert, as far as I know.

Reply | Permalink

Thanks a lot Roberto for you answer.

Well note about the TXT record

I guess it must be something as:

acme-challenge.mydomain1.com. IN TXT "yB_EQ-w[…]E"
acme-challenge.www.mydomain1.com. IN TXT "yB_EQ-w[…]E"

About cert, if I understood what you said.

I have to create a new certificate only for Qmail, with -d parameter with all domain.

Reply | Permalink

Yes to both questions

Reply | Permalink

Thanks

Sorry to insist, but if qmail doesn't need any patch to run tls.

For what netqmail-1.06-tls+auth-20151215_20160609.patch is use for?

Reply | Permalink

Sorry I thought at first reading that you were asking if modifications were needed to that patch. Of course you need qmail to be patched for tls, so the only patch that makes sense if you want to test letsencrypt certificates is qmail-tls

Reply | Permalink

Hi roberto.

No problem, that's my fault.

As I'm french and english isn't my mother tongue I guess my question wasn't clear.

So to get tls on my qmail, I need to patch netqmail with:

Qmail-tls

http://inoa.net/qmail-tls/netqmail-1.06-tls-20160918.patch

or

your patch including smtp-auth + qmail-tls + forcetls

https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest

or you combined patch

https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz

Is that right?

Reply | Permalink

yes, of course one reason to use TLS is securing the auth, that's the reason why I made a package with auth and tls patches together. My big patch includes both.

Reply | Permalink

Let's Encrpyt

Roberto,

Isn't 'DOMAIN=smtp.yourdomain.tld' in the above script (/usr/local/bin/my-cert.sh) supposed to be 'DOMAIN=yourdomain.tld'

Eric

Reply | Permalink

Let's Encrpyt

Hi Eric,

it is the domain name that you use to connect to your server.. in my example I'm imaging that there are different servers for smtp imap and so on

Reply | Permalink

Reason 3 aliases needed

Hi! Usefull post about using the LE certificate for qmail. 

I was wondering: is there a specific reason you stated  the aliases: smtp, pop3, imap?

IMHO, if it is 1 host, could you not (better) use 1 alias, for example mail.mydomain.mynet ?

regards, Bart

Reply | Permalink

Reason 3 aliases needed

Hi! Because I'm not excluding that the three could live in three separated (virtual) servers

Reply | Permalink