postfix + dovecot + let's encrypt (certbot) - Seamless ssl/tls mail certificate
All, Probably old news to most who run their own mail servers, but for years I simply used self-signed certs for mail and used Let's Encrypt for my web servers. Turns out it's trivial to use the same certs for both. The key is you need to have both an A and MX record for your mail host and then add that fqdn (Expand) your Let's Encrypt certificate to include the mail host fqdn. While most mail clients would simply allow you to add an exception for your annual change for self-signed certs, leave it to apple to make things difficult and complain. So tired of fighting with IOS, it was time to simply use a legitimate cert. (makes apple instantly happy, not reboots to clear cache or 3 forced mail checks is rapid succession to have it add a new exception) If you are interested, here are three links that tie it altogether. Note that different web-servers will have difference setups/processes for requesting your original or expended cert. (there is a manual method as well) https://serverfault.com/q/999409/332034 https://community.letsencrypt.org/t/how-to-add-mail-server-to-existing-certi... https://community.letsencrypt.org/t/dovecot-certificate/145441/9 Simple solution. The only change to dovecot.conf is to point it to the let's encrypt certs instead of self-signed. Should have taken the time to do this years ago when I did the web server. -- David C. Rankin, J.D.,P.E.
On 2022-06-07 08:07, David C. Rankin wrote:
All,
Probably old news to most who run their own mail servers, but for years I simply used self-signed certs for mail and used Let's Encrypt for my web servers. Turns out it's trivial to use the same certs for both. The key is you need to have both an A and MX record for your mail host and then add that fqdn (Expand) your Let's Encrypt certificate to include the mail host fqdn.
While most mail clients would simply allow you to add an exception for your annual change for self-signed certs, leave it to apple to make things difficult and complain. So tired of fighting with IOS, it was time to simply use a legitimate cert. (makes apple instantly happy, not reboots to clear cache or 3 forced mail checks is rapid succession to have it add a new exception)
If you are interested, here are three links that tie it altogether. Note that different web-servers will have difference setups/processes for requesting your original or expended cert. (there is a manual method as well)
Interesting, thanks. I don't have an outside facing postfix, but still. Curio: my mail provider SMTP server used a self-signed certificate with the "example" text fields of whatever Linux implementation they used (my guess). I could see, for many moons (years), the "example" text, "do not use for production" in my smtp logs when sending email :-D -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.3)
On 6/8/22 03:18, Carlos E. R. wrote:
Curio: my mail provider SMTP server used a self-signed certificate with the "example" text fields of whatever Linux implementation they used (my guess). I could see, for many moons (years), the "example" text, "do not use for production" in my smtp logs when sending email:-D
Most mail client just what to know whether ssl/tls is available and don't check the actual content of the certificate. Most ignore the content for SMTP (sending) purposes. So far I've only run into the new IOS that balks on the (receiving) if the content (or even expiration date) is invalid. The irony is that you can set your receiving up in IOS with a self-signed certificate, (IOS will accept that it is self-signed) but when that certificate is replaced (due to the 1 year expiry, etc..) it has no mechanism to accept the new certificate. You can create a new signing cert and key from the private key and update the expiration without "creating" a new certificate, but the updated cert with lack the MozV3 extensions for the "role" of the original cert. I haven't found a way to update while preserving that content. Easiest way I've found is just to go legit. I was much easier than I had envisioned and IOS is happy. -- David C. Rankin, J.D.,P.E.
David C. Rankin wrote:
On 6/8/22 03:18, Carlos E. R. wrote:
Curio: my mail provider SMTP server used a self-signed certificate with the "example" text fields of whatever Linux implementation they used (my guess). I could see, for many moons (years), the "example" text, "do not use for production" in my smtp logs when sending email:-D
Most mail client just what to know whether ssl/tls is available and don't check the actual content of the certificate. Most ignore the content for SMTP (sending) purposes.
Yep. In this context, the encrypted transmission is the main thing, the identity of the receiver less so.
The irony is that you can set your receiving up in IOS with a self-signed certificate, (IOS will accept that it is self-signed) but when that certificate is replaced (due to the 1 year expiry, etc..)
When you're using self-signed, you could always set expiry in 10 ot 20 years. For our BMC's, we also use self-signed, with 10 year expiry. -- Per Jessen, Zürich (16.9°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.
participants (4)
-
Carlos E. R. -
David C. Rankin -
David C. Rankin -
Per Jessen