I have a Linux server which runs Apache2, and the Exim4 SMTP server.
I use the LetsEncrypt Certbot system to create the certificates and these get copied acros to the Exim4 directory and fixed up.
All works perfectly.
But I also have to copy the public certificate into the DMARC DNS settings of my VPS provider, every time the Certbox renews the certificates!
That is an impossible task every 3 months.
Is there any way to have the LetsEncrypt cetificates to be valid for 12 months instead of 3 months?
Why in heavens name is it set to such a short period?
Is there another solution to use LetsEncrypt for Mail servers? It seems to be only designed for https servers...
Hi @bartkindtnz, and welcome to the LE community forum
No, they only have one offering: 90 days.
Certificates are not made specific for any server(s) - they can be used by all kinds of servers and systems.
LE certs are exactly like any other/all other CA certs.
How would you like a cert to be designed specifically for a mail server?
You probably mean DKIM, which doesn't involve x509 certificates, but plain pubkeys (RSA or ed25519) published in DNS. You don't need LE or any other Certificate Authority for this, this can simply be generated locally on your server.
I am sorry, yes I meant DKIM not DMARC. You would not believe the trouble I am having with places like hotmail which keep blocking emails. All of them now seem to require real certifications and not self-build onces. Especially with my mailing list system, where the hash of the body is always wrong (due to the required unsubscribe links being added) it seems to be that you have to have everything else absollutely perfect to have any chance to get the emails through.
Hmmm: as mentioned above, DKIM does not use the WebPKI type of certificate that we (and other CAs) issue, at all. Could you please give us some more detail about your configuration, so we can better understand exactly what’s going on?
(Edit:) I think your note about the signature matching is important here: no matter what you do, that will need to be fixed, or your deliverability will stay bad. I’m less familiar with Exim than with Postfix; are you using OpenDKIM or some other configuration? Snippets of those config files could help us troubleshoot this. Although it may be beyond the scope of our forum, we’ll do what we can.
Basically, I copy the Public Key and Private Key generated by LetsEncrypt to the Exim4 directory for it to use.
Then I copy the Public Key into the DKIM DNS records for the 5 different Domains which are running on this VPS.
I just read a bit more. I read now that certificates expire, but SSL keys do not expire? Which would mean I can leave the current Public Key in place for Exim4, even when the LetsEncrypt certifcates get updated?
Only if it continues to use the matching private key. [uncommon]
If Exim4 changes the private key as you renew your certs, then you will have to change the public key to match the private key.
That only matters for DANE/TLSA, though. And you can always use a trust anchor like R3 or ISRG Root X1 in your tlsa record (they are additive, you can use more than one.)
So you're throwing away all the x509 parts (what LE provided), retaining only the bare public key (that you already had without LE). Again, you don't need a CA for DKIM.
You do want to rotate those keys periodically though, but that's on your own initiative and not mandated by any expiration date.
Here's your actual problem - you're modifying the messages after signing them, and DKIM was designed to detect this kind of message "tampering". So it actually works!
Change the order of your message processing: modify, then sign, and you should be fine.
That is totally true, but it does not seem to be possible with
Linux>Exim4>MailMan
Where Mailman is the mailing list system.
And it is a well known issue, but for whatever reason, it does not seem possible to fix it from the MailMan side; I also have not seen any solutions from the Exim4 side. There is an option for MailMan to remove the DKIM data from the email, so at least it is not considered FAIL, but then it is missing, which in some destinations is also a complete SPAM. I must admit is does not make sense, and there must be a way to solve this.
However, we are getting way from the LetsEncrypt question, which I now understand is totally not required for DKIM to work with Exim4 and I can just use a privately generated Key set.
