Installing LetsEncrypt For Postfix and Dovecot

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Installing LetsEncrypt For Postfix and Dovecot

asai
Greetings,

With Mozilla recently dropping support for all Symantec certs, our security cert now throws errors on Thunderbird clients.  We’d like to install certbot on Centos 6, but I’m not sure if it’s going to interfere with Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with this?

Yum reports the following would be upgrading or installed:

Dependencies Resolved

====================================================================================================================================================================================
 Package                                         Arch                                Version                                             Repository                            Size
====================================================================================================================================================================================
Installing:
 augeas-libs                                     x86_64                              1.0.0-10.el6                                        base                                 314 k
 libffi-devel                                    x86_64                              3.0.5-3.2.el6                                       base                                  18 k
 mod_ssl                                         x86_64                              1:2.2.15-69.el6.centos                              base                                  99 k
 redhat-rpm-config                               noarch                              9.0.3-51.el6.centos                                 base                                  60 k

Updating:
 ca-certificates                                 noarch                              2018.2.22-65.1.el6                                  base                                 930 k
 gcc                                             x86_64                              4.4.7-23.el6                                        base                                  10 M
 nss                                             x86_64                              3.36.0-9.el6_10                                     updates                              865 k
 openssl                                         x86_64                              1.0.1e-57.el6                                       base                                 1.5 M
 openssl-devel                                   x86_64                              1.0.1e-57.el6                                       base                                 1.2 M

Installing for dependencies:
 p11-kit                                         x86_64                              0.18.5-2.el6_5.2                                    base                                  94 k
 p11-kit-trust                                   x86_64                              0.18.5-2.el6_5.2                                    base                                  71 k

Updating for dependencies:
 cpp                                             x86_64                              4.4.7-23.el6                                        base                                 3.7 M
 gcc-c++                                         x86_64                              4.4.7-23.el6                                        base                                 4.7 M
 libgcc                                          x86_64                              4.4.7-23.el6                                        base                                 104 k
 libgomp                                         x86_64                              4.4.7-23.el6                                        base                                 135 k
 libstdc++                                       x86_64                              4.4.7-23.el6                                        base                                 296 k
 libstdc++-devel                                 x86_64                              4.4.7-23.el6                                        base                                 1.6 M
 nspr                                            x86_64                              4.19.0-1.el6                                        base                                 114 k
 nss-softokn                                     x86_64                              3.14.3-23.3.el6_8                                   base                                 262 k
 nss-softokn-freebl                              x86_64                              3.14.3-23.3.el6_8                                   base                                 168 k
 nss-sysinit                                     x86_64                              3.36.0-9.el6_10                                     updates                               53 k
 nss-tools                                       x86_64                              3.36.0-9.el6_10                                     updates                              460 k
 nss-util                                        x86_64                              3.36.0-1.el6                                        base                                  72 k

Asai


Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

michaelof@rocketmail.com
Hi Asai,

I'm using my Apache's LetsEncrypt certificates also for my Dovecot and Postfix instance. Works absolutely fine, no issue with any mail client, incl. Thunderbird.

Michael

Am 27. November 2018 18:52:30 MEZ schrieb Asai <[hidden email]>:
>Greetings,
>
>With Mozilla recently dropping support for all Symantec certs, our
>security cert now throws errors on Thunderbird clients.  We’d like to
>install certbot on Centos 6, but I’m not sure if it’s going to
>interfere with Postfix (2.11) or Dovecot (2.2.18).  Does anybody have
>experience with this?
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Matus UHLAR - fantomas
In reply to this post by asai
On 27.11.18 10:52, Asai wrote:
>With Mozilla recently dropping support for all Symantec certs, our security
> cert now throws errors on Thunderbird clients.  We’d like to install
> certbot on Centos 6, but I’m not sure if it’s going to interfere with
> Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with
> this?

I have no problem with Let's Encrypt certificates and postfix/whatever.
I'm just not sure if iphones have the root CA (DST Root CA X3) installed -
just yesterday noticed a complaint.

But I prefer dehydrated over bloated certbot.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

wa6vvv
> On 28 November 2018, at 01:03, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> On 27.11.18 10:52, Asai wrote:
>> With Mozilla recently dropping support for all Symantec certs, our security
>> cert now throws errors on Thunderbird clients.  We’d like to install
>> certbot on Centos 6, but I’m not sure if it’s going to interfere with
>> Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with
>> this?
>
> I have no problem with Let's Encrypt certificates and postfix/whatever.
> I'm just not sure if iphones have the root CA (DST Root CA X3) installed -
> just yesterday noticed a complaint.
>

The latest version of iOS have the proper root certificate.  I am using Let's Encrypt certificates for dovecot and postfix.  I access and send mail frequently using an iPhone and iPad.

If you are dealing with an older version, the user can accept the certificate and that will also work.

Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Administrator Beckspaced.com
In reply to this post by Matus UHLAR - fantomas

Am 28-Nov-18 um 10:03 schrieb Matus UHLAR - fantomas:

> On 27.11.18 10:52, Asai wrote:
>> With Mozilla recently dropping support for all Symantec certs, our
>> security
>> cert now throws errors on Thunderbird clients.  We’d like to install
>> certbot on Centos 6, but I’m not sure if it’s going to interfere with
>> Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience with
>> this?
>
> I have no problem with Let's Encrypt certificates and postfix/whatever.
> I'm just not sure if iphones have the root CA (DST Root CA X3)
> installed -
> just yesterday noticed a complaint.
>
> But I prefer dehydrated over bloated certbot.
>
also been using Let's Encrypt certificates for apache, postfix, dovecot,
etc ...
without any problems so far.

+1 for mentioning dehydrated client for signing certificates with an
ACME-server (e.g. Let's Encrypt)

https://github.com/lukas2511/dehydrated

using light-weight dehydrated has been a pleasure so far ;)

Greetings
Becki
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Jim P.
In reply to this post by Matus UHLAR - fantomas
On Wed, 2018-11-28 at 10:03 +0100, Matus UHLAR - fantomas wrote:

> On 27.11.18 10:52, Asai wrote:
> > With Mozilla recently dropping support for all Symantec certs, our
> > security
> > cert now throws errors on Thunderbird clients.  We’d like to install
> > certbot on Centos 6, but I’m not sure if it’s going to interfere
> > with
> > Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience
> > with
> > this?
>
> I have no problem with Let's Encrypt certificates and
> postfix/whatever.
> I'm just not sure if iphones have the root CA (DST Root CA X3)
> installed -
> just yesterday noticed a complaint.
>
> But I prefer dehydrated over bloated certbot.

This comes up enough to warrant the following questions:

1) What do you do about restarting services after automatic cert
renewals in the middle of a holiday weekend?  (i.e. renew_hook in
/etc/letsencrypt/renewal/*.conf)

2) What do you do to list all certs to show revocation, expiration,
renewal status (e.g. certbot certificates)

-Jim P.

Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Bill Cole-3
In reply to this post by Matus UHLAR - fantomas
On 28 Nov 2018, at 4:03, Matus UHLAR - fantomas wrote:

> On 27.11.18 10:52, Asai wrote:
>> With Mozilla recently dropping support for all Symantec certs, our
>> security
>> cert now throws errors on Thunderbird clients.  We’d like to
>> install
>> certbot on Centos 6, but I’m not sure if it’s going to interfere
>> with
>> Postfix (2.11) or Dovecot (2.2.18).  Does anybody have experience
>> with
>> this?
>
> I have no problem with Let's Encrypt certificates and
> postfix/whatever.
> I'm just not sure if iphones have the root CA (DST Root CA X3)
> installed -
> just yesterday noticed a complaint.
>
> But I prefer dehydrated over bloated certbot.

I also can confirmation that LE certs work just fine, and that acme.sh
(https://github.com/Neilpang/acme.sh) is another working alternative to
certbot. If you use DNS verification, you may prefer its bundled 'hook
scripts' for various DNS APIs over the dehydrated model of listing the
many scripts written by 3rd parties.
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Viktor Dukhovni
In reply to this post by Jim P.


> On Nov 28, 2018, at 9:49 AM, Jim P. <[hidden email]> wrote:
>
> 1) What do you do about restarting services after automatic cert
> renewals in the middle of a holiday weekend?  (i.e. renew_hook in
> /etc/letsencrypt/renewal/*.conf)

There is no need to restart or even "reload" Postfix when certificates
change, unless you've left renewal too late, and are already or will
imminently be serving expired certificates.

Most Postfix service processes, in particular all the ones that
make use of private keys and certificates, run for a limited
amount of time and are automatically replaced with newer processes
that use the latest settings.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Jim P.
On Wed, 2018-11-28 at 12:25 -0500, Viktor Dukhovni wrote:

> > On Nov 28, 2018, at 9:49 AM, Jim P. <[hidden email]> wrote:
> >
> > 1) What do you do about restarting services after automatic cert
> > renewals in the middle of a holiday weekend?  (i.e. renew_hook in
> > /etc/letsencrypt/renewal/*.conf)
>
> There is no need to restart or even "reload" Postfix when certificates
> change, unless you've left renewal too late, and are already or will
> imminently be serving expired certificates.
>
> Most Postfix service processes, in particular all the ones that
> make use of private keys and certificates, run for a limited
> amount of time and are automatically replaced with newer processes
> that use the latest settings.
Thanks for that point, that makes good sense.

-Jim P.

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Matus UHLAR - fantomas
In reply to this post by Jim P.
>On Wed, 2018-11-28 at 10:03 +0100, Matus UHLAR - fantomas wrote:
>> But I prefer dehydrated over bloated certbot.

On 28.11.18 09:49, Jim P. wrote:
>This comes up enough to warrant the following questions:
>
>1) What do you do about restarting services after automatic cert
>renewals in the middle of a holiday weekend?  (i.e. renew_hook in
>/etc/letsencrypt/renewal/*.conf)

simply modified provided hook.sh script to reload/restart all services that
use certificates.

>2) What do you do to list all certs to show revocation, expiration,
>renewal status (e.g. certbot certificates)

I haven't needed this yet.  I remember that dehydrated contains option to
clean up old certificates.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Olivier Nicole-2
On 28.11.18 09:49, Jim P. wrote:
>This comes up enough to warrant the following questions:
>
>1) What do you do about restarting services after automatic cert
>renewals in the middle of a holiday weekend?  (i.e. renew_hook in
>/etc/letsencrypt/renewal/*.conf)

Unless you are freaking sur eof what you are doing, you do not restart
the service in the middle of an holiday :)

So you plan to have your certificate renew while you are there to tend
any problem, like one week before they expire, because you never know
what can get wrong.

Olivier
Reply | Threaded
Open this post in threaded view
|

Re: Installing LetsEncrypt For Postfix and Dovecot

Jim P.
In reply to this post by Matus UHLAR - fantomas
On Thu, 2018-11-29 at 09:28 +0100, Matus UHLAR - fantomas wrote:

> > On Wed, 2018-11-28 at 10:03 +0100, Matus UHLAR - fantomas wrote:
> > > But I prefer dehydrated over bloated certbot.
>
> On 28.11.18 09:49, Jim P. wrote:
> > This comes up enough to warrant the following questions:
> >
> > 1) What do you do about restarting services after automatic cert
> > renewals in the middle of a holiday weekend?  (i.e. renew_hook in
> > /etc/letsencrypt/renewal/*.conf)
>
> simply modified provided hook.sh script to reload/restart all services
> that use certificates.

ack

> > 2) What do you do to list all certs to show revocation, expiration,
> > renewal status (e.g. certbot certificates)
>
> I haven't needed this yet.  I remember that dehydrated contains option
> to clean up old certificates.
>

Ok, Thank you.

-Jim P.