I came across this thread and wanted to share my solution to use a letsencrypt certificate also for
- postfix MTA / SMTP server and
- Cyrus IMAPd - IMAP server
This is working fine with different IMAP e-mail clients like Thunderbird, K9 mail, outlook, Apple Mail etc. on port 993 / 465
webserver and mailserver for the domain are running on the same machine, this makes things easier. Postfix and Cyrus are therefore using the same certificate. I’ve set up a cronjob to renew the certificate regularly and make sure that Postfix and cyrus can access the certficate (by adding read rights for group mail).
Cronjob (to be executed once a month as recommended):
#!/bin/bash
#
OPTIONS=“certonly --renew-by-default --email name@domain.xx --agree-tos --text”
#
#
# Web & Mailserver
#
/etc/letsencrypt/letsencrypt-auto $OPTIONS --webroot -w /var/www/www.domain.xx/htdocs -d mail.domain.xx -d webmail.domain.xx
#
chgrp mail /etc/letsencrypt/archive /etc/letsencrypt/live
chmod g+rx /etc/letsencrypt/archive /etc/letsencrypt/live
# eventually restart web & mail servers to make sure the new certificates are used
…
The relevant cyrus config /etc/imapd.conf part looks like this:
tls_ca_file: /etc/letsencrypt/live/mail.domain.xx/fullchain.pem
tls_cert_file: /etc/letsencrypt/live/mail.domain.xx/cert.pem
tls_key_file: /etc/letsencrypt/live/mail.domain.xx/privkey.pem
Postfix config /etc/postfix/main.cfg:
smtpd_tls_CAfile=/etc/letsencrypt/live/mail.domain.xx/fullchain.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.domain.xx/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.domain.xx/privkey.pem
It’s working fine, but I’m not sure about the CA-File part, maybe someone can comment about that?
best regards
Wolfgang