Simple Guide: Using Lets Encrypt SSL certs with Dovecot


#1

This is for those who already have working Lets Encrypt SSL certs working on their websites, and already have self-signed SSL certs working with a dovecot/postfix setup.

All you should have to do is edit your 10-ssl.conf files (mine is in /etc/dovecot/conf.d/10-ssl.conf) to point to your Lets Encrypt SSL files.

** Always backup any files before editing! **

Example lines from 10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/YOURSITE/fullchain.pem
ssl_key = </etc/letsencrypt/live/YOURSITE/privkey.pem

then just restart dovecot:

sudo service dovecot restart

Now you should be able to check mail in Thunderbird or whatever you use and have the SSL certs verified.


Renew certificate with expanding domains
PLESK 17 (ONYX) + LetsEncrypt | Where are my PEMs?
#2

Dovecot also supports SNI, so you can put a couple of cert / key for each domain you hosts.

I use this kind of config myself:

ssl_cert = </path_to/default_crt.pem
ssl_key = </path_to/default_key.pem

!include conf.d/dovecot-crt*.conf

and for example dovecot-crt_imap_domain1_td.conf like this:

local_name imap.domain1.td {
  ssl_cert = </path_to/imap.domain1.td_crt.pem
  ssl_key = </path_to/imap.domain1.td_key.pem
}



 dovecot-crt_imap_domain2_td.conf:

local_name imap.domain2.td {
  ssl_cert = </path_to/imap.domain2.td_crt.pem
  ssl_key = </path_to/imap.domain2.td_key.pem
}

This way thunderbird can request the correct certificate, and this allows user to connect / configure accounts using imap.domain1.td or imap.domain2.td depending on the email address without receiving cert errors.


#3

Since this is one of the top results of a “dovecot letsencrypt” search, perhaps it should be added that the default config - at least the one shipped by Ubuntu - does not seem to be save against recent SSL attacks. In my Config, only SSL2 is disabled, not SSL3.
From my Apache2 config that tests safe at Qualys, I derived these two lines:

ssl_protocols = !SSLv2:!SSLv3
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Perhaps someone with more knowledge about dovecot and SSL could comment on this.


#4

Really a great information !

A nice way to make the certificate is

./letsencrypt-auto --apache -d mysite.be -d www.mysite.be -d pop3.mysite.be -d imap.mysite.be

so, the certificate is valid the Web and emails.


#5

hmm i generate my cert to the subdomain imap.example.com … and added this in dovecot:

SSL protocols to use

ssl_protocols = !SSLv2
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
ssl_cert = </etc/letsencrypt/live/imap.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.com/privkey.pem

and this in postfix:

smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/smtp.example.com/privkey.pem

#6

It fails here.

This is the configuration:

ssl_key = </domain/example.com/ssl/mx.key
ssl_cert = </domain/example.com/ssl/mx-bundle.pem
ssl_ca = </domain/example.com/ssl/mx_ca-bundle.pem

local_name imaps.other.tld {
#ssl_key = </domain/other.tld/ssl/mx.key
ssl_key = </etc/ssl/acme/private/other.tld/privkey.pem
#ssl_cert = </domain/other.tld/ssl/mx.pem
ssl_cert = </etc/ssl/acme/other.tld/fullchain.pem
ssl_ca = </domain/other.tld/ssl/mx_ca-bundle.pem
}

This is the error message that appears in the log as soon as Thunderbird is started.

2017-03-20T10:17:01.37880 2017-03-20T11:17:01 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=192.168.1.1, lip=192.168.1.5, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

The certificate is good, however. It is the same we use for https://other.tld, without the prefix “www”.

imaps.other.tld is listed as alternative name.

This is the command used to create the certificate:

acme-client -vNnmOe $fqdn www.$fqdn mx.$fqdn smtps.$fqdn imaps.$fqdn;

We need a solution to this problem.


#7

Update:

  • it works with the iPhone
  • it fails with Thunderbird

Update #2:

It works with Thunderbird and the following configuration:

security.OCSP.GET.enabled: true
security.OCSP.enabled: 1
security.OCSP.require: true
security.ssl.enable_ocsp_must_staple: false
security.ssl.enable_ocsp_stapling: true


#8

Hi @RuGa,

What si the reason to define ssl_ca?. Are you authenticating your users via certificates?. If you are not, remove/comment out ssl_ca directives, restart Dovecot and try again. Indeed, if you are using it, you should have somewhere in your config the directive ssl_verify_client_cert=yes, and as I said, if you have it defined to no (it is the default) you should not use ssl_ca directive.

If that doesn’t work, try this config for the following directives:

# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use
ssl_cipher_list = HIGH:!SSLv2:!aNULL@STRENGTH

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes

Restart Dovecot and try again.

Of course, before changing anything, always backup your conf just in case.

Cheers,
sahsanu


#9

Are you authenticating your users via certificates?

Yes.

The problem occurs when using OCSP must staple.
There seems to be something wrong with Thunderbird’s engine.


#10

Ok, I don’t authenticate users via certificates so I can’t test it but with the config I passed and the default Thunderbird (45.8.0) config:

security.OCSP.GET.enabled: false
security.OCSP.enabled: 1
security.OCSP.require: false
security.ssl.enable_ocsp_must_staple: true
security.ssl.enable_ocsp_stapling: true

It works without issues using Let’s Encrypt certificates.

Cheers,
sahsanu


#11

Ok guys. Thanks to your guide, I was able to get my email to work perfectly on my android phone app, however, nothing that I’ve tried in this thread has worked for Thunderbird. I tried the config that @RuGa suggested & the config that @sahsanu suggested & nothing is working for Thunderbird (52.1.1).

I’ve turned on debugging & get this message in my syslog:
dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=**************, lip=**************

Does anyone have any suggestions on how to troubleshoot this?


#12

@diamonds, would you like to share your servername and port?


#13

@schoen I’d rather not send my servername publicly. How do I send a PM?


#14

Click on the user’s username, then click “Message”.


#15

@schoen I don’t have that option. Even when I go to the my profile, I can’t send messages. I think it’s because I’m new.

Can you send me a PM & then I’ll send you my server name & Port?


#16

@diamonds, I did some very preliminary tests and I think there might be some kind of difference between what your server does with IMAP STARTTLS (on port 143) and IMAPS (on port 993). Your server is offering both, and I think I did see different error messages in these two cases.

In Thunderbird, if you do an automated account setup, it apparently prefers IMAP STARTTLS (which seems like an incredibly bad default to me) over IMAPS. Could you try again with a manual account setup indicating that you specifically want to use IMAPS on port 993 instead of the default?


#17

@schoen I’ve tried every manual setting configuration that Thunderbird offers for to log in. I’ve used the username with both, just user, & with the email address.

I’m having the same problem that @RuGa was having (I can log in with my phone via SSL perfectly fine)…so, it’s a Thunderbird setting issue, but I don’t know which one or how to troubleshoot it.

The manual config to setup a mailbox offers very limited options & the “Advance config” is greyed out. I don’t know how to troubleshoot this & there is very little information on the Internet about this problem.

I even asked on Dovecot’s mailing list & go nowhere with a solution. Any other suggestions?


#18

Try this.

Preferences -> Advanced -> General -> Configuration Editor, search for “ocsp” and configure as follows:

security.ocsp.get.enabled: true
security.ocsp.disable_button.management: false
security.ocsp.enabled: 1
security.ocsp.require: false
security.ssl.enable_ocsp_must_staple: false
security.ssl.enable_ocsp_stapling: true


#19

this ssl serts working in nginx, but fails in dovecot

mail:~# dpkg -l |grep dovecot
ii dovecot-core 1:2.2.27-3~bpo8+1 amd64 secure POP3/IMAP server - core files
ii dovecot-imapd 1:2.2.27-3~bpo8+1 amd64 secure POP3/IMAP server - IMAP daemon
ii dovecot-mysql 1:2.2.27-3~bpo8+1 amd64 secure POP3/IMAP server - MySQL support

mail:~# /etc/dovecot/conf.d/10-ssl.conf
local_name mail.example.com {

ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem

}

mail:~# openssl rsa -in /etc/letsencrypt/live/example.com/privkey.pem -check -noout
RSA key ok

mail:~# ll /etc/letsencrypt/live/example.com/privkey.pem
lrwxrwxrwx 1 root root 37 Aug 4 12:54 /etc/letsencrypt/live/example.com/privkey.pem -> …/…/archive/example.com/privkey5.pem

mail:~# ll /etc/letsencrypt/archive/example.com/privkey5.pem
-rw-r–r-- 1 root root 1704 Aug 4 12:54 /etc/letsencrypt/archive/example.com/privkey5.pem

mail:~# grep ^- /etc/letsencrypt/archive/example.com/privkey5.pem
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

mail:~# /var/log/dovecot/mainlog

Aug 04 13:01:39 imap-login: Fatal: Couldn’t parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Aug 04 13:01:39 master: Error: service(imap-login): command startup failed, throttling for 2 secs
Aug 04 13:01:51 imap-login: Fatal: Couldn’t parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Aug 04 13:01:51 master: Error: service(imap-login): command startup failed, throttling for 4 secs
Aug 04 13:01:55 imap-login: Fatal: Couldn’t parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Aug 04 13:01:55 master: Error: service(imap-login): command startup failed, throttling for 8 secs
Aug 04 13:02:03 imap-login: Fatal: Couldn’t parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY
Aug 04 13:02:03 master: Error: service(imap-login): command startup failed, throttling for 16 secs


#20

Do you literally have the less-than character < in your configuration file where you specify the certificate and private key? Is that part of the configuration file syntax?