Cerificate for Qmail

nevilleonline · January 15, 2018, 9:15am

Hi ,

I would like to know the process to follow issuing certificates for my qmail server. Presently we are using self signed certificates in pem format.

ls -al /var/qmail/control/*.pem
lrwxrwxrwx 1 root root 33 May 20 2017 /var/qmail/control/clientcert.pem -> /var/qmail/control/servercert.pem
-rw------- 1 vpopmail vchkpw 245 Jan 15 05:03 /var/qmail/control/dh1024.pem
-rw------- 1 vpopmail vchkpw 156 Jan 15 05:03 /var/qmail/control/dh512.pem
-rw------- 1 vpopmail vchkpw 493 Jan 15 05:03 /var/qmail/control/rsa512.pem
-rw-r----- 1 vpopmail vchkpw 3176 May 20 2017 /var/qmail/control/servercert.pem

I have used letsencrypt before but for a website, so I am little confused how to go about it to adapt in qmail. Normally for a site it creates two certificates

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

Over here fullchain.pem can be linked as servercert.pem and clientcert.pem. Would that be right? Any other things I need to be carefull about or lookout for? Any pointers would be great.

Regards,
Neville

_az · January 15, 2018, 9:21am

I believe that servercert.pem should be in “combined format”:

PRIVATE KEY
CERTIFICATE
INTERMEDIATES

So maybe you can have a --deploy-hook such as:

cat /etc/letsencrypt/live/domain.com/privkey.pem \
/etc/letsencrypt/live/domain.com/fullchain.pem \
> /var/qmail/control/servercert.pem && \
service qmail restart

nevilleonline · January 15, 2018, 9:38am

fullchain.pem and servercert.pem are both in combined format. Is there a different process to issue certificate for qmail? or apache plugin will work. I need cert for only the default domain. I am using apache as well to host vqadmin and qmailadmin on the qmail server.

_az · January 15, 2018, 9:42am

There’s no separate process or type of certificate for qmail.

You just need to do the one extra step of combining privkey.pem and fullchain.pem into a single file, because that’s what qmail expects (rather than having a separate key and certificate file).

system · February 14, 2018, 9:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.