I have a lot of customers that use Thunderbird, Outlook, iPhone, etc to
access their mail. All of these scream if the certificate is expired.
I'm not having any problems per se. I use a three step process with
LetsEncrypt, openssl, and keytool. Everything functions fine.
LetsEncrypt has a command that you run as a cron job that will renew the
certs automatically usually when they are 2 months into a 3-month
expiration cycle. It runs daily. But it only triggers the cert
renewals when it decides it's close enough to expiration. I'm just
worried about the cert auto-renewing, but in the process invalidating
the keystore files I'm using for imap and smtp. I agree that the
process of running openssl and keytool is trivial. But I just need to
figure out a way to auto-run them as well if I discover that LetsEncrypt
has auto-refreshed the certs and thereby invalidated the keystore. The
'best' answer would be that the keystore will continue to work with a
refreshed cert. But I guess I'll need to wait a couple of months until
LetsEncrypt does its thing and I find out if everything dies. Not a big
deal. Just trying to get ahead of the problem.
Thanks.
Jerry
On 5/12/2020 3:46 PM, David Matthews wrote:
David,
That's good info in the article. But my question was does the
keytool-generated file expire as well when the underlying cert
(LetsEncrypt or self-signed cert) expires? Or can I simply renew the
underlying cert without having to re-execute the keytool step each time
the cert auto-renews?
Short answer - I don't know.
But a couple of thoughts:-
1) That keytool command completes as you snap your fingers, it's not an
intensive thing.
2)LetsEncrypt for https, I totally get (and use it myself); you do not want
people having to ignore browser warnings to see your web site. I don't see it
as an issue with imaps though. Dovecot is another imap server and depending on
which version/distro you use, for imaps it comes with a certificate or offers a
script to create one.
Seems to me that using keytool is just the equivalent for James - I guess you
could also use openssl, which dovecot uses. I just checked that and saw the
cert expires after 365 days, so I've certainly run on an out of date cert at
times even if I'm not doing it now. :-)
Do I care? No, my webmail program doesn't check the cert for validity - it runs
on the same machine as dovecot so that is hardly a serious issue - I just want
the encryption. I'm pretty sure there's no problem with sylpheed either,
although it's a good while since I used it. May be things like thunderbird
check cert validity? Not sure.
How many people are going to access their email on your server? It's not like a
web page which is for the whole world.
--
David Matthews
m...@dmatthews.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
