Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 7:25 am, al...@coakmail.com wrote:

hello

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?

Thank you.


Make entries in /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = You can override the global ssl certificates for specific domains in 
/etc/dovecot/dovecot.conf


local special.example.com {
  protocol imap {
    ssl_cert = 

OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[alice]

>
> On 22/4/22 7:25 am, al...@coakmail.com wrote:
>> hello
>>
>> I have setup website using letsencrypt for certification.
>> how can I setup IMAP to use this certs as well?
>>
>> Thank you.
>>
> Make entries in /etc/dovecot/conf.d/10-ssl.conf
>
> ssl = required
>
> ssl_cert =  ssl_key = 
>
> in /etc/dovecot/dovecot.conf or in /etc/dovecot/conf.d/10-ssl.conf
>
> put
>
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
> ssl_prefer_server_ciphers = yes
>
> You can override the global ssl certificates for specific domains in
> /etc/dovecot/dovecot.conf
>


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?

Re: how to setup IMAPs with letsencrypt

[Benny Pedersen]

On 2022-04-22 01:44, al...@coakmail.com wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?


yes

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 7:44 am, al...@coakmail.com wrote:

On 22/4/22 7:25 am, al...@coakmail.com wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?

Probably a bad idea. Many clients use STARTTTLS on port 143 rather than 
TLS on port 993


--

Jeremy


OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Joseph Tam]

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?


Make entries in /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = 

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.

Joseph Tam 

Re: how to setup IMAPs with letsencrypt

[Benny Pedersen]

On 2022-04-22 01:50, Jeremy Ardley wrote:

On 22/4/22 7:44 am, al...@coakmail.com wrote:


On 22/4/22 7:25 am, al...@coakmail.com wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?


Probably a bad idea. Many clients use STARTTTLS on port 143 rather
than TLS on port 993


keeping footprint of servers minimal risk is not a bad idea

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 7:50 am, Jeremy Ardley wrote:

On 22/4/22 7:44 am, al...@coakmail.com wrote:

On 22/4/22 7:25 am,al...@coakmail.com  wrote:


Thanks. I will give a try.
after enabling SSL, can I disable port 143 entirely?

Probably a bad idea. Many clients use STARTTTLS on port 143 rather 
than TLS on port 993





I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to 
specify imaps.
Dovecot automatically listens on port 993 and 143 when ssl is specified 
and applies the ssl directive as indicated.


#global

# SSL/TLS support: yes, no, required. 

ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_cert = It is possible to generate a wildcard letsencrypt certificate 
*.example.com but the process is tricky and has unexpected side-effects 
such as typo.example.com resolves to example.com in DNS


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 22/4/22 8:24 am, Jeremy Ardley wrote:


local mail.example.com {
  protocol imap {

 ssl_cert = 
My error. The correct example domain override stanza is

#specific domain override

local special.example.com {
  protocol imap {

 ssl_cert = 

OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Narcis Garcia]

__
I'm using this dedicated address because personal addresses aren't 
masked enough at this mail public archive. Public archive administrator 
should fix this against automated addresses collectors.

El 22/4/22 a les 1:40, Jeremy Ardley ha escrit:


On 22/4/22 7:25 am, al...@coakmail.com wrote:

hello

I have setup website using letsencrypt for certification.
how can I setup IMAP to use this certs as well?

Thank you.


Make entries in /etc/dovecot/conf.d/10-ssl.conf

ssl = required

ssl_cert = You can override the global ssl certificates for specific domains in 
/etc/dovecot/dovecot.conf


local special.example.com {
   protocol imap {
     ssl_cert = 

+ You should sure "dovecot" service account has read access to 
/etc/letsencrypt/live/special.example.com/privkey.pem

p.e. by adding account to a common group with LE files.

Re: how to setup IMAPs with letsencrypt

[Jean-Daniel Dupas]

> Le 22 avr. 2022 à 01:50, Jeremy Ardley  a écrit :
> 
> 
> 
> On 22/4/22 7:44 am, al...@coakmail.com  wrote:
>>> On 22/4/22 7:25 am, al...@coakmail.com  wrote:
>>> 
>> Thanks. I will give a try.
>> after enabling SSL, can I disable port 143 entirely?
>> 
> Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS 
> on port 993
> 

While it's true for SMTP, my experience is that IMAP clients prefer imaps in 
993 instead of STARTTLS. 

I have a server with only port 993 opened, and almost never had any issue with 
client configuration.

Re: how to setup IMAPs with letsencrypt

[Shawn Heisey]

On 4/22/22 02:20, Jean-Daniel Dupas wrote:
While it's true for SMTP, my experience is that IMAP clients prefer 
imaps in 993 instead of STARTTLS.


I have a server with only port 993 opened, and almost never had any 
issue with client configuration.


I have noticed the opposite.  Every time I have configured a new mail 
client (which is most often but not always Thunderbird), it defaults to 
143 with STARTTLS.  Port 993 is available too, but my mail clients have 
never used it unless I explicitly configure it.


My dovecot is configured with "disable_plaintext_auth = yes" so only 
source IPs that are local to the machine (so the traffic never goes out 
on any network) are allowed to login without TLS. My webmail uses 
localhost so it is configured to use port 143 without encryption.


I know a lot of people are going to clamor that such traffic should be 
encrypted because it could be sniffed ... but if somebody has enough 
access such that they could sniff my backend services, the security 
battle is already lost, and they would be able to get any in-flight 
passwords even if the connection is encrypted.


Thanks,
Shawn

Re: how to setup IMAPs with letsencrypt

[Richard Hector]

On 22/04/22 11:57, Joseph Tam wrote:

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE 
challenge. Well, actually it's a proxy server that serves several other 
domains too, but there's nothing else served on that domain (at the moment).


Cheers,
Richard

Re: how to setup IMAPs with letsencrypt

[alice]

Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?

the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?

Thanks

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 24/4/22 9:14 am, ミユナ (alice) wrote:



Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?

the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?


There is a procedure for wildcards but it's a little complex. It helps 
to have your own bind server.


For a start:

https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot

--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[Jeremy Ardley]

On 24/4/22 9:22 am, Jeremy Ardley wrote:


For a start:

https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot 



This may be more helpful 
https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7


--
Jeremy



OpenPGP_signature
Description: OpenPGP digital signature

Re: how to setup IMAPs with letsencrypt

[alice]

thank you Jeremy. I will check out them.

Jeremy Ardley wrote:
https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot 



This may be more helpful 
https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7 

Re: how to setup IMAPs with letsencrypt

[Shawn Heisey]

On 4/23/2022 6:45 PM, Richard Hector wrote:
_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE 
challenge. Well, actually it's a proxy server that serves several 
other domains too, but there's nothing else served on that domain (at 
the moment).


I didn't want to mess with creating a web infrastructure for the usual 
web-based validation that is common with LE.  Getting that working for 
my services would be very messy.  So I use DNS validation with 
LetsEncrypt, and I have wildcards in my cert.  You can see the cert at 
this location:


https://http3test.elyograg.org/

Reload the page to see if your browser can do http/3 -- the initial 
connection will usually be http/2.


Certbot has plugins for many common DNS providers that let it 
automatically add the validation records to your DNS.  I use a DNS 
provider which is not covered by the official plugins, but I found a 
third party hook script on github, so I have built scripts that 
accomplish completely automated certificate renewals with DNS 
validation.  I run the renew script with cron every other day, and have 
it waiting until 5 days before expiration before it actually does the 
renewal.  So I get a new cert about every 85 days, and it even installs 
the cert and restarts services on everything that needs it.


Thanks,
Shawn

Re: how to setup IMAPs with letsencrypt

[Markus Winkler]

On 24.04.22 02:45, Richard Hector wrote:

On 22/04/22 11:57, Joseph Tam wrote:

Keep in mind the subject name (CN or SAN AltNames) of your certificate
must match your IMAP server name e.g. if your certificate is
made for "www.mydomain.com", you'll have to configure your IMAP
clients to also use "www.mydomain.com" as the IMAP server name.

This typically means the web and IMAP server must reside on the
same server, otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


_A_ web server has to be there. It doesn't have to serve anything else 
useful. My mail server has a web server that only serves the LE challenge. 
Well, actually it's a proxy server that serves several other domains too, 
but there's nothing else served on that domain (at the moment).


if it wasn't already mentioned in this thread:

acme.sh (https://github.com/acmesh-official/acme.sh) has a builtin 
standalone webserver which can be used in such cases, there's no need for 
an additional web server. And Certbot has this functionality too.


acme.sh is a very simple and stable solution - it's just a shell script, no 
dependencies. I'm using it on a number of servers (together with 
Apache/Nginx or with the builtin standalone mode on mail gateways) without 
any problem.


Regards,
Markus

Re: how to setup IMAPs with letsencrypt

[Richard Hector]

On 24/04/22 13:14, ミユナ (alice) wrote:



Richard Hector wrote:

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


Um, no I didn't. I replied to that. Please check your attributions :-)

Cheers,
Richard

Re: how to setup IMAPs with letsencrypt

[Joseph Tam]

On Sun, 24 Apr 2022, ??? (alice) wrote:


[Actually, I wrote]

otherwise you'll have to use DNS challenge method
to support multiple hostnames on the same certificate.


do you know how to implement this?


Others have pointed out resources, but at a very basic level, you'll need
a scriptable way to add TXT records for your domain. Plenty of ACMEbots
supply plugins for various cloud provider APIs, but if you're running
your own DNS server like I am, you may have roll your own plugin.

If you don't have this level of control over your DNS zone, you'll have
to bodge it with HTTP challenge and a stub web servers.


the original certificates were issued for domain: sample.com.
But this certs can be used for any.sample.com too?


For wildcarded certs (valid for *.sample.com), your only recourse is
use DNS challenges.

Joseph Tam