ISPConfig, Dovecot, Postfix and LetsEncrypt SSL

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

Please See: https://www.howtoforge.com/community/threads/lets-encrypt-working-with-ispconfig-interface-postfix-dovecot-tls-pure-ftpd-monit.75546/

ARCHIVED
I successfully configured Dovecot and Postfix to use my LetsEncrypt SSL certificate for my mail domain.

Generate SSL Certificate

When I installed ISPConfig 3.1b, I followed instructions on setting up LetsEncrypt which placed it in /opt/letsencrypt; If you have LetsEncrypt installed elsewhere, substitute the path below with the correct path.
I run in standalone mode so I need to stop Apache2.

service apache2 stop

Create the certificate.
Update: 12/2016 Install the certbot tool following this guide for Debian Jessie 8:  https://certbot.eff.org/all-instructions/#debian-8-jessie-apache

certbot certonly --standalone -d mail.techish.net

The certificate now lives in /etc/letsencrypt/live/mail.techish.net/

Configure Dovecot

I modified /etc/dovecot/conf.d/10-ssl.conf and added the following lines:

ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.techish.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.techish.net/privkey.pem

Then I restarted Dovecot

service dovecot restart

That didn’t seem to work;  it was still publishing an invalid certificate, so I had a look around at more configuration files.
I then modified /etc/dovecot/dovecot.conf file.  In this file I saw the ssl_cert and ssl_key variables and I also noted the protocols. The bolded items are what I changed/added.

protocols = imap pop3 imaps pop3s
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
#ssl_cert = </etc/postfix/smtpd.cert
#ssl_key = </etc/postfix/smtpd.key
ssl_cert = </etc/letsencrypt/live/mail.techish.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.techish.net/privkey.pem

I then restarted Dovecot

service dovecot restart

Configure Postfix

I looked at /etc/postfix/main.cf and noted that the cert was pointed to /etc/postfix/ directory. I decided to backup the certs that existed and then create a symlink.

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

Backup and create symlinks.

cd /etc/postfix
mkdir ssl-backup
mv smtpd.* ssl-backup/
ln -s /etc/letsencrypt/live/mail.techish.net/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/mail.techish.net/privkey.pem smtpd.key

Restart Postfix

service postfix restart
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *