On 2/17/2017 2:38 PM, chaouche yacine wrote: > Seems wrong to me too, Robert. If you put your private key inside your > certificate, won't it be sent to the client along with it ?
The private key should not be sent to the connecting client, even if it is contained in the same place as the certificate(s). If that data *is* sent to the client, that's a bug, probably in the SSL library (usually openssl). I am not using letsencrypt for my personal install, but my certificate provider does use one intermediate, just like letsencrypt does. I have the server certificate, the intermediate certificate, and the private key all in the same file, and my dovecot config contains these lines, both referring to that file: ssl_cert_file = /etc/ssl/certs/local/imap.REDACTED.com.pem ssl_key_file = /etc/ssl/certs/local/imap.REDACTED.com.pem This file is owned by root and has 600 permissions. Because root permissions are required in order to bind to port numbers below 1024, dovecot typically will initially start as root, then drop permissions as required. hostname:/etc/ssl/certs/local# ls -al imap.REDACTED.com.pem -rw------- 1 root root 6266 Jan 6 20:47 imap.REDACTED.com.pem Thanks, Shawn