Using LE with Postfix + Dovecot on Ubuntu 16

neokio · September 10, 2016, 9:05pm

Hi all,

I’ve installed LE without a hitch for the web (https://ravingo.in), but I can’t seem to get it to behave with IMAP (SSL/TLS encrypted IMAP on port 993). When I try to connect, I get “SSL error: unable to verify the first certificate”.

I used these steps for installing postfix+dovecot, pretty much verbatim, except I replaced the self-signed certificates with the LE ones:

In /etc/dovecot/conf.d/10-ssl.conf …

ssl_cert = </etc/letsencrypt/live/ravingo.in/cert.pem
ssl_key = </etc/letsencrypt/live/ravingo.in/privkey.pem

In /etc/postfix/main.cf …

smtpd_tls_cert_file=/etc/letsencrypt/live/ravingo.in/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/ravingo.in/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
       	permit_sasl_authenticated,
       	permit_mynetworks,
       	reject_unauth_destination

I’d be most grateful for any suggestions or solutions!

cool110 · September 10, 2016, 9:19pm

You’re not serving the intermediate cert. Use fullchain.pem instead of cert.pem.

neokio · September 10, 2016, 9:59pm

Holy carp. That's amazing, I'm so much closer now, thank you.

Now I'm getting the error ...

Server returned error: "Missing +OK response upon connecting to the server: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready."

... which probably has to do with gmail not having good IMAP support, and nothing to do with LE.
Thanks again!

EDIT: Hm. This post says that my chain file could be wrong. How would I go about fixing that?

tialaramex · September 10, 2016, 10:44pm

Nah, that post was talking about an earlier output line, not the “Missing +OK” response.

The “Missing +OK” plus “* OK” together means the client (Gmail) expected to speak POP3, but your mail server speaks only IMAP on that port. If you can speak POP3, you can make Gmail work (e.g. maybe on a different port?). If you can’t speak POP3, you may not be able to get Gmail to work at all (or maybe these days there is config somewhere) ?

neokio · September 10, 2016, 10:51pm

Ah. I thought port 993 was always IMAP.
I never knew where to side on the IMAP vs POP3 debate, but it seems Google is forcing my hand.
I’ll give it a whirl, thanks!

EDIT: Worked. Thanks

system · October 10, 2016, 10:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.