Leo,>> I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. >> I am assuming I'll need to pay a CA to generate what I need, but >> I'm confused about what I need. I am running dovecot at teh moment, >> but my clients (iphone, windows laptops) say my ssl connection is >> not trusted. The phone just won't connect.> Nope, you don't have to pay for a certificate at one of the > traditional CAs, you can use Let's Encrypt to have free but fully > valid certificates for your server.> See https://letsencrypt.org/ for more information. I can recommend > https://github.com/xenolf/lego for use on your server, but there are > many different LE clients out there.certbot works only with ports 80 or 443? Can lego work with with IMAP ports like 143 or 993? The documentation is not very clear. best regards --- Michael Schumacher
31 aug 2018 kl. 21:31 skrev Michael Schumacher <michael.schumacher at pamas.de>:> Leo, > >>> I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office. >>> I am assuming I'll need to pay a CA to generate what I need, but >>> I'm confused about what I need. I am running dovecot at teh moment, >>> but my clients (iphone, windows laptops) say my ssl connection is >>> not trusted. The phone just won't connect. > >> Nope, you don't have to pay for a certificate at one of the >> traditional CAs, you can use Let's Encrypt to have free but fully >> valid certificates for your server. > >> See https://letsencrypt.org/ for more information. I can recommend >> https://github.com/xenolf/lego for use on your server, but there are >> many different LE clients out there. > > certbot works only with ports 80 or 443? Can lego work with with IMAP > ports like 143 or 993? The documentation is not very clear.I haven't used certbot, only lego, but that's not a problem. If you use leo you will have it manage the request for new and renewal of existing certificates. It does this using challenges over HTTP or DNS. I am guessing this is where your understanding that it only works with port 80 and 443 comes from - it uses either of those ports to communicate with Let's Encrypt's systems when using the HTTP challenge. However, this is separate from your IMAP server. Which ports your IMAP server use has nothing to do with lego or the LE certificate stuff. As long as something, e.g. lego, successfully manages to get valid certs onto your server, your IMAP server should be able to use those certificates (that is, a private key file and a public key file). Your IMAP server can use those files and may then respond to requests for IMAP over SSL/TLS on e.g. port 993. Port 143 is for unencrypted IMAP, so in that case certificates are not relevant at all. Consider trying leo out with the staging parameter enabled (see the documentation for it right there on the GitHub page), that way you can experiment with it and see what it produces and how it works. Then you can configure your IMAP server to use those certificate files. Regards, Leo
On 31.08.2018 21:31, Michael Schumacher wrote:> certbot works only with ports 80 or 443? Can lego work with with IMAP > ports like 143 or 993? The documentation is not very clear.basically - independent of the client - letsencrypt will only support http/https or dns based challenges. so - if you want to get certificates for an imap only server, you will have to setup an webserver for the challenge. or deal with your dns server. best regards Ulf
31 aug 2018 kl. 21:38 skrev Ulf Volmer <u.volmer at u-v.de>:> On 31.08.2018 21:31, Michael Schumacher wrote: > >> certbot works only with ports 80 or 443? Can lego work with with IMAP >> ports like 143 or 993? The documentation is not very clear. > > basically - independent of the client - letsencrypt will only support > http/https or dns based challenges. > > so - if you want to get certificates for an imap only server, you will > have to setup an webserver for the challenge. or deal with your dns server.Setting up a web server is not needed - all you need is lego (which by the way is one statically linked binary since it's written in Go). If you use the HTTP challenge, lego will temporarily, only for the time needed to fulfill the challenge, listen for HTTP on the relevant port. In summary, lego contains a web server for the HTTP challenge.
At Fri, 31 Aug 2018 21:38:13 +0200 CentOS mailing list <centos at centos.org> wrote:> > On 31.08.2018 21:31, Michael Schumacher wrote: > > > certbot works only with ports 80 or 443? Can lego work with with IMAP > > ports like 143 or 993? The documentation is not very clear. > > basically - independent of the client - letsencrypt will only support > http/https or dns based challenges. > > so - if you want to get certificates for an imap only server, you will > have to setup an webserver for the challenge. or deal with your dns server.Yes, this works. I use mail.deepsoft.com for both imap and SquirrelMail and use the same cert for both SquirrelMail/Apache and dovecot.> > best regards > Ulf > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > >-- Robert Heller -- 978-544-6933 Deepwoods Software -- Custom Software Services http://www.deepsoft.com/ -- Linux Administration Services heller at deepsoft.com -- Webhosting Services
Letsencrypt.org has one other thing you should know about, not a biggie, the certificate is only good for 90 days at a time. Then you need to renew. But they though about that too, you can automate the renewal, so that each time the certificate expires and new one is generated and installed. It is supported by all of the major browsers, by supported, they are a part of the group that funds letsencrypt.org john On 8/31/2018 3:38 PM, Ulf Volmer wrote:> On 31.08.2018 21:31, Michael Schumacher wrote: > >> certbot works only with ports 80 or 443? Can lego work with with IMAP >> ports like 143 or 993? The documentation is not very clear. > basically - independent of the client - letsencrypt will only support > http/https or dns based challenges. > > so - if you want to get certificates for an imap only server, you will > have to setup an webserver for the challenge. or deal with your dns server. > > best regards > Ulf > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > >
On 31.08.2018 21:31, Michael Schumacher wrote:> > certbot works only with ports 80 or 443? Can lego work with with IMAP > ports like 143 or 993? The documentation is not very clear. >in case of other then Webserver you use ACME-DNS just for a simple ACME client that is capable for ACME-DNS use acme.sh https//acme.sh/
> > so - if you want to get certificates for an imap only server, you will > have to setup an webserver for the challenge. or deal with your dns server. >Having just setup up some LetsEncrypt certificates on a CentOS server: Certbot automates the process - if you have a webserver running, it will use that; if you don't, it attaches a minimalistic web server to port 80 to respond to the LetsEncrypt challenges. It's very, very easy. (The challenges are purely to verify that you are the owner of the domain you are asking for certificates for.) The certificates it generates can be used for IMAP and SMTP as well. certbot will automatically renew the certificates 2 weeks (I think) before they expire - it does not need the web/dns challenges for renewal. There are hooks in the process to put the renewed certificates wherever you want, otherwise it puts them where your web server is expecting them. P.
> > Your IMAP server can use those files and may then respond to > requests for IMAP over SSL/TLS on e.g. port 993. Port 143 is for > unencrypted IMAP, so in that case certificates are not relevant at > all.Well, apart from STARTTLS ... P.