Using LE with UW IMAP (and Postfix)

Had problems figuring out how to use LE with UW IMAP. Yes, I know, a more modern imap/pop3 server would be a good course of action but lets pretend I couldn’t go that route.

I did get it working with a few trials and with the help of an old board post I found on UW.

The key is creating a PEM file with the certs and keys and storing them in a pem file in the following order (later, I found that the order might not be important but after burning myself with email problems and finding that this absolutely works, I’ve just stuck with this.

UW IMAP wants pem files stored in /usr/local/ssl/certs by default. Your flavour of linux might differ.

Create your certificate. I made mine for mail.domain.com for example.

Now we’re going to combine the certs/key into one file:

cat /etc/letsencrypt/live/mail.domain.com/cert.pem /etc/letsencrypt/live/mail.domain.com/privkey.pem /etc/letsencrypt/live/mail.domain.com/chain.pem > /usr/local/ssl/certs/imapd.pem

That order, cert.pem, then the privkey.pem, then the chain.pem seem to be important (not 100% sure). I put the above in cron to run after my cert renewals.

Now symlink ipop3d.pem to imapd.pem. For those who need it:

ln -s /usr/local/ssl/certs/imapd.pem /usr/local/ssl/certs/ipop3d.pem

If using xinetd, stop xinetd (if that is what you’re using to start imapd and ipop3d), kill all the stray imapd and ipop3d services still running and then restart xinetd.

For those using Postfix, the config was easier. Edit main.cf and ensure you have:

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/cert.pem
smtpd_tls_key_file  = /etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_CAfile    = /etc/letsencrypt/live/mail.domain.com/chain.pem

Of course in all instances, replace mail.domain.com with your domain.

Hope this helps someone.

FYI:

smtpd_tls_CAfile (default: empty)
A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates. (...) This file may also be used to augment the server certificate trust chain, but it is best to include all the required certificates directly in the server certificate file.

smtpd_tls_cert_file (default: empty)
File with the Postfix SMTP server RSA certificate in PEM format. This file may also contain the Postfix SMTP server private RSA key.

(...)

To enable a remote SMTP client to verify the Postfix SMTP server certificate, the issuing CA certificates must be made available to the client. You should include the required certificates in the server certificate file, the server certificate first, then the issuing CA(s) (bottom-up order).

Example: the certificate for "server.example.com" was issued by "intermediate CA" which itself has a certificate of "root CA". Create the server.pem file with "cat server_cert.pem intermediate_CA.pem root_CA.pem > server.pem"

Although they claim it should include the root CA, fullchain.pem should suffice for smtpd_tls_cert_file I believe.

In addition, I would NOT recommend adding the private key to the file used for smtpd_tls_cert_file, even if the "official documentation" says you can do so! Just use smtpd_tls_key_file for that indeed.. Someone else in this forum accidentally posted his private key online, because he was unaware the certificate file contained his private key Accidents are quickly made ofcourse