Letsencrypt certs on email server.. Weird issue


#1

Dunno if I’m in the right place here, but I run my own mailserver using iRedmail… I use letsencrypt on the two subdomains of my personal domain, as “webmail.frandin.org” and “mail.frandin.org”. Right after letsencrypt went out of beta, I switched over from a self-signed cert to using letsencrypt. The LE cert expired on 12/12/16, I have a cronjob set to renew it automatically, which, according to the SSLtest website, it shows as renewed to 3/12/17. I have squirrelmail webmail on the server, and I can login there and get an error-free connection any of the mail accounts on the mailserver. However, Thunderbird and every other mail reader (Evolution/Claws) I try to connect to the mail server insists that the cert has expired on 12/12/16. I’ve posted on the Mozilla Thunderbird forum and they suggest to post here… Dunno where to turn on this…


#2

Hi @dfrandin, the webmail service and the desktop mail client software use different protocols (HTTPS and IMAPS, respectively), which are served by different server software and will have separate configuration files.

Your web server (which speaks HTTPS) is correctly using the renewed cert, but your mail server (which speaks IMAPS) is presumably still using the old cert. The SSLtest web site is only looking at the HTTPS protocol, not the IMAPS protocol, which is on a different TCP port (993 instead of 443).

So, you should find where the IMAPS server software is and how it’s configured, and see why it still uses the old certificate. If you’re using Certbot (previously “letsencrypt”), one possibility is that the mail server configuration was mistakenly pointed at something like /etc/letsencrypt/webmail.frandin.org/archive instead of /etc/letsencrypt/webmail.frandin.org/live (the links in the latter get updated when the certificate is renewed, but the files in the former don’t).


#3

Another possibility is that the configuration file of iRedmail does point to the right symlink in /live/, but has to be reloaded for the new certificate to get in effect.

When using the Apache webserver with the apache plugin of certbot (formerly known as letsencrypt), Apache is reloaded automatically… But iRedmail probably didn’t get reloaded.

If you want to automate this, you could add a reload command to a script which you can point at in the --post-hook switch of certbot. For more information about these hooks, see the documentation: https://certbot.eff.org/docs/using.html#renewing-certificates


#4

Sorry to be coming back so late, but had the holidays and a family emergency… I forgot about the https vs imap issue as to why the ssl test website is happy with the renewed cert but any email program I use isn’t … Not really sure where the imap links to the certs are… obviously apache/https is pointing to the /live certs. Will ask on the iredmail forum for info on the imap links…

Thanks all!!
Dave


#5

Found the problem… Once I clearly realized the difference between https and imap certs, I found the problem… Postfix somehow was not getting updated… Seems to work now…

Thanks all!!
Dave


#6

You do realise Postfix isn’t an IMAP daemon, right? :stuck_out_tongue:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.