Action disabled: revisions
content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail

Using Let's Encrypt Certificates for Mail and other Apps

If you want your favourite app added to these instructions, please send an e-mail with your howto to support@clearcenter.com and it will be added.

Background

There is a Let's Encrypt app which enables you to get free SSL certificates for use on your Web Sites or for use in the Webconfig. With very minor changes it is possible to use a Let's Encrypt certificate in the mail apps - SMTP server (postfix), POP and IMAP server (cyrus-imapd), Zarafa and Kopano.

Let's Encrypt maintains four symlinks for each certificate requested:

/etc/letsencrypt/live/your_FQDN/cert.pem

This is the basic certificate

/etc/letsencrypt/live/your_FQDN/chain.pem

The chain file, also known as the intermediate certificate links the cert.pem back to the Let's Encrypt root CA (which is not held in the Let's Encrypt app)

/etc/letsencrypt/live/your_FQDN/fullchain.pem

This is a combination of the chain.pem file and cert.pem file

/etc/letsencrypt/live/your_FQDN/privkey.pem

This is your private key for your certificate

The Let's Encrypt app keeps these symlinks always pointing to the latest certificate files under /etc/letsencrypt/archive/your_FQDN

Requirements

Before you can make these changes, you must already have Let's Encrypt certificates which cover the (sub-)domain(s) you are going to use for your e-mail server. As an idea, typical subdomains are smtp.example.com, pop.example.com, imap.example.com and mail.example.com but they do not have to be one of those. You can even just use example.com. You can have separate domains for the incoming and outgoing servers or just a single domain for both.

For the Howto I will assume smtp.example.com and imap.example.com are the subdomains. I also assume that the certificates obtained were for the Primary Domains of smtp.example.com and imap.example.com. If the certificate was for a different Primary Domain and smtp.example.com and imap.example.com were listed as Other Domains when creating the certificates, use the Primary Domain name in the configurations below instead.

Configuration

The HowTo was originally written using the “mail” group. There is no problem with this set up, but in order to extend the use of Let's Encrypt certificates to other apps, the HowTo has been changed to use the “ssl-cert” group

Common Let's Encrypt Setup

Changing permissions and ownership is a common step for all the apps below

Fix permissions and ownership on the Let's Encrypt folders:

chown root:ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive
chmod 0750 /etc/letsencrypt/live /etc/letsencrypt/archive
This next step was added on 18th Sept 2019 to accommodate a change in certbot behaviour. It should only affect newer keys as the older ones had 0644 permissions.

Fix the key permissions:

chown root:ssl-cert /etc/letsencrypt/live/*/privkey.pem
chmod g+r /etc/letsencrypt/live/*/privkey.pem
If you have multiple certificates and you want to just use just one of them, you can do:
chown root:ssl-cert /etc/letsencrypt/live/{your_certificate_name}/privkey.pem
chmod g+r /etc/letsencrypt/live/{your_certificate_name}/privkey.pem

and substitute your certificate name for {your_certificate_name}.

SMTP Server (postfix)

Add the following to /etc/postfix/main.cf:

smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/smtp.example.com/privkey.pem

Add the postfix user to the ssl-cert group:

usermod -a -G ssl-cert postfix

Then restart postfix:

systemctl restart postfix

Now to force postfix to restart to read the new certificates each time they are updated by creating a file /var/clearos/events/lets_encrypt/postfix with 0755 permission and the following contents:

#!/bin/sh

sleep 10

systemctl condrestart postfix

If you copy and paste the following into a terminal this will create the file correctly for you:

echo '#!/bin/sh' > /var/clearos/events/lets_encrypt/postfix
echo >> /var/clearos/events/lets_encrypt/postfix
echo 'sleep 10' >> /var/clearos/events/lets_encrypt/postfix
echo >> /var/clearos/events/lets_encrypt/postfix
echo 'systemctl condrestart postfix' >> /var/clearos/events/lets_encrypt/postfix
chmod 0755 /var/clearos/events/lets_encrypt/postfix

POP and IMAP Server (cyrus-imapd):

Change the following in /etc/imapd.conf:

tls_key_file:    /etc/letsencrypt/live/imap.example.com/privkey.pem
tls_cert_file:   /etc/letsencrypt/live/imap.example.com/fullchain.pem

Add the cyrus user to the ssl-cert group:

usermod -a -G ssl-cert cyrus

Then restart cyrus-imapd:

systemctl restart cyrus-imapd

Now to force cyrus-imapd to restart to read the new certificates each time they are updated by creating a file /var/clearos/events/lets_encrypt/cyrus-imapd with 0755 permission and the following contents:

#!/bin/sh

sleep 10

systemctl condrestart cyrus-imapd

If you copy and paste the following into a terminal this will create the file correctly for you:

echo '#!/bin/sh' > /var/clearos/events/lets_encrypt/cyrus-imapd
echo >> /var/clearos/events/lets_encrypt/cyrus-imapd
echo 'sleep 10' >> /var/clearos/events/lets_encrypt/cyrus-imapd
echo >> /var/clearos/events/lets_encrypt/cyrus-imapd
echo 'systemctl condrestart cyrus-imapd' >> /var/clearos/events/lets_encrypt/cyrus-imapd
chmod 0755 /var/clearos/events/lets_encrypt/cyrus-imapd

Zarafa

Zarafa Webapp uses the Apache web server. This makes configuring Let's Encrypt certificates trivial and can be done through the Webconfig interface. Navigate to Server –> Web Server and configure your default website, ensuring you select your Let's Encrypt certificate that will be used to access Zarafa webapp (eg. https://mail.example.com/webapp).

Since Apache also hosts the z-push (Active Sync), configuring your web server to use these certificates will extend out to this service as well without additional changes.

POP3S/IMAPS

In order to use the Let's Encrypt certificates when connecting via POP3S or IMAPS from mail clients, you will need to make some changes to the following file: /etc/zarafa/gateway.cfg

ssl_private_key_file = /etc/letsencrypt/live/example.com/privkey.pem
ssl_certificate_file = /etc/letsencrypt/live/example.com/fullchain.pem

Add the zarafa user to the ssl-cert group:

usermod -a -G ssl-cert zarafa

Once done, be sure to restart Zarafa Gateway service:

systemctl restart zarafa-gateway

Now to force zarafa-gateway to restart to read the new certificates each time they are updated by creating a file /var/clearos/events/lets_encrypt/zarafa-gateway with 0755 permission and the following contents:

#!/bin/sh

sleep 10

systemctl condrestart zarafa-gateway

If you copy and paste the following into a terminal this will create the file correctly for you:

echo '#!/bin/sh' > /var/clearos/events/lets_encrypt/zarafa-gateway
echo >> /var/clearos/events/lets_encrypt/zarafa-gateway
echo 'sleep 10' >> /var/clearos/events/lets_encrypt/zarafa-gateway
echo >> /var/clearos/events/lets_encrypt/zarafa-gateway
echo 'systemctl condrestart zarafa-gateway' >> /var/clearos/events/lets_encrypt/zarafa-gateway
chmod 0755 /var/clearos/events/lets_encrypt/zarafa-gateway

Kopano

The Kopano instructions are identical to the above Zarafa changes necessary, except, of course, with the Zarafa path and service names replace with Kopano.

PlexMediaServer

Create a file /var/clearos/events/lets_encrypt/plex and in it put:

#!/bin/sh

openssl pkcs12 -export -password pass:plexmediaserver \
    -out /var/lib/plexmediaserver/certificate.pfx \
    -inkey /etc/letsencrypt/live/example.com/privkey.pem \
    -in /etc/letsencrypt/live/example.com/fullchain.pem

chown plex:plex /var/lib/plexmediaserver/certificate.pfx

sleep 10
systemctl condrestart plexmediaserver

Change example.com to your certificate name. You can change the password if you want. Make the file executable:

chmod 0755 /var/clearos/events/lets_encrypt/plex

And run it once to create the certificate in pkcs12 format:

/var/clearos/events/lets_encrypt/plex

In the Plex Dashboard go to Settings > Network > Show Advanced and:

  • set “Custom certificate location” to /var/lib/plexmediaserver/certificate.pfx
  • set “Custom certificate encryption key” to “plexmediaserver” (or whatever password you used)
  • set “Custom certificate domain” to a domain covered by your certificate. Set “Secure connections” to either “Preferred” or “Required”.

Then save your changes.

Multiple Let's Encrypt certificates

If you have multiple Let's Encrypt certificates, then each time any certificate renews, the apps for which you've created events files will restart. As this happens overnight it typically does not matter. If you want to restrict the app restart to happening only with a particular certificate you can put the restart operation inside an “if” statement. Using postfix as an example, you'd change:

#!/bin/sh

sleep 10
systemctl condrestart postfix

to:

#!/bin/sh

if [ "$(basename $RENEWED_LINEAGE )" = "www.example.com" ]; then
    sleep 10
    systemctl condrestart postfix
fi

Obviously changing www.example.com to your certificate name - the folder name in /etc/letsencrypt/live.

References

content/en_us/kb_howtos_using_letsencrypt_certificates_for_mail.txt · Last modified: 2021/10/02 08:06 by 62.30.63.90