Qmail certificate


#1

Hi everyone

I got an Apache running 7 domains on one Ip managed by SNI, and using for a while letsencrypt for https.
Each domain getting is own certs.

Today I would like to add tls to Qmail.
Is there a way to reuse the cert already used by apache for each domain.
Or Should I edit a new certs as:
certbot-auto certonly -d domain1.com -d domain1.com -d domain2.com -d domain3.com -d domain4.com

Is there any risk this command destroy the previous cert?

Does this cert will be renew by:
/usr/local/sbin/certbot-auto renew --renew-hook "service apache2 graceful" >> /var/log/le-renew.log


#2

Hi @jd440,

Does your Qmail already have TLS support? Are you using http://inoa.net/qmail-tls/? (Is there some other patch available?)


#3

That certificate is valid for any server application, so you shouldn’t need to get a new one. But your Qmail process might require it in a different format (like the patch I linked to seems to require the private key and certificate chain in a single file, which isn’t a combination that’s created automatically by Certbot).

This command would likely offer to replace one of the existing certificates because of the overlap in names. If you do want a certificate covering all four names but you don’t want it to replace one of the existing ones, you can specify --duplicate or simply choose a distinctive name for the new certificate with --cert-name.

If the hook is already specified when you originally obtained the certificate, it should be remembered and you shouldn’t have to give any options after renew. Also, if you used --apache or -i apache and Certbot installed the certificate into Apache for you (i.e., not certonly or --webroot or --standalone or --manual), then Certbot should automatically reload your Apache process for you whenever a certificate is renewed, without requiring a hook. However, if you edited your Apache configuration yourself to configure the certificate, a hook could be useful here.


#4

Thanks @schoen for you answer.

Using netqmail 1.06 it seems I doesn’t need any patch.
Source : https://notes.sagredo.eu/en/qmail-notes-185/installing-a-let-s-encrypt-certificate-for-your-qmail-and-dovecot-servers-233.html#comment1138


#5

As you said qmail a combinaition, And could make a script to copy and combine.

cat /etc/letsencrypt/live/mail.defaultdomain.com/privkey.pem /etc/letsencrypt/live/mail.defaultdomain.com/fullchain.pem > /var/qmail/control/servercert.pem
/usr/local/bin/qmailctl restart

But my problem is the fact, I have to put one .pem file in /var/qmail/control/, so I have no idea how could i define different cert for different domain

Ok so
certbot-auto certonly --duplicate -d domain1.com -d domain1.com -d domain2.com -d domain3.com -d domain4.com
or
certbot-auto certonly --cert-name certForMail -d domain1.com -d domain1.com -d domain2.com -d domain3.com -d domain4.com

So with both line It must be any problem to obtain multiple cert for each domain? (1 for apache, 1 for Qmail)?

By the way I saw https://plaintext.blog/hosting/mail/qmail.html#netqmail

./certbot-auto -n --email admin@${address} certonly --standalone \
-d ${domain} -d imap.${address} -d smtp.${address} -d send.${address}"

Do you think I need : -d imap. …

When I obtain the originally cert I done:

certbot-auto certonly -w /home/sitexxx/web/www -d example1.com -d www.example1.com

I just check the /etc/lestencrypt/renewal/*.com.conf file and I got:

renew_hook = service apache2 graceful


#6

It seems like the TLS implementation for netqmail might not support choosing among multiple certificates. The TLS protocol itself has a feature called SNI that lets the client indicate which hostname it’s trying to connect to, and then the server can choose an appropriate certificate in reply. This is what web servers do with virtual hosts. But netqmail may not have support for this.

In that case, you probably do need to put all of the hostnames into a single certificate. Let’s Encrypt will let you list up to 100 names as part of a single certificate. When you specify multiple -d options with Certbot, all of them will be requested as part of the same certificate.

The way that Certbot is structured, each time you run certbot certonly, you request one certificate with whichever named you specified with -d.

I don’t understand whether your question is about whether this will cause a problem with the existing certificates, or whether one command is better than the other, or whether you specifically need separate certificates for Apache and Qmail, or something else.

I think that either of these commands is OK, and the second one is probably better because it’s more explicit and gives you control over what the certificate is called (it would then be available via /etc/letsencrypt/live/certForMail).

You still don’t need to have separate certificates for Apache and Qmail; you could for example reconfigure Apache to use the new combined certificate instead of the previous ones. However, it’s also OK to have separate certificates. Either choice is OK.

Certbot would be willing to manage and renew the “certForMail” separately from the existing individual certificates. When you run certbot-auto renew, it will automatically try to renew whichever of the managed certificates are less than 30 days from expiry.


#7

Thanks for your precision about netqmail SNI.
So I would definetly have to get a single certificate for all my domain.
Do you think it could have any impact on inbox delivery rate?

I don’t understand whether your question is about whether this will cause a problem with the existing certificates, or whether one command is better than the other, or whether you specifically need separate certificates for Apache and Qmail, or something else.
Sorry about that.
I mean will cause a problem with the existing certificates, or for renew.
I don’t want the get my websites down, for a broken certificate because I play to get cert’ for my mail.

So if I create a new certForMail certificate.
the commande-line must renew all certificate.?
the existing apache certificates + the new one?


#8

Nope.

Yes, that’s right.


#9

Thanks a lot @schoen
I think this will be my last question

can you explain me those parameter

 -d imap.${address} -d smtp.${address} -d send.${address}

why should i need to list imap.mydomain.com, smtp.mydomain.com, send.mydomain.com


#10

Otherwise, those subdomains will not be included in the certificate.


#11

I understood,
But when you send an email. You send it for
exemple@mydomain.com
not
exemple@imap.mydomain.com or exemple@smtp.mydomain.com or exemple@send.mydomain.com


#12

Well. You use those hostnames as a server to receive / sent emails right?

Let’s encrypt provides “Server / TLS certificate”, not email certificates…

If you want to use TLS encryption with your QMail server (or any other type of mail server software), you would need to obtain a certificate for that server.

Take a look at this: https://www.sparkpost.com/resources/email-explained/ssl-tls-starttls-encyption/ and this https://luxsci.com/blog/smtp-tls-all-about-secure-email-delivery-over-tls.html

Thank you


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.