dovecot - Aug 2017 - is a self signed certificate always invalid the first time?

Thanks Ralph, i?ll look into that.

I think let?s encrypt uses certbot though and it can?t do email certificates
(although i?m sure i can convert the cert i get from let?s encrypt, i?ll look
into it.
> On 9 Aug 2017, at 16:40, Ralph Seichter <m16+dovecot at
monksofcool.net> wrote:
> 
> On 09.08.2017 17:20, Alef Veld wrote:
> 
>> So i?m using dovecot, and i created a self signed certificate with
>> mkcert.sh based on dovecot-openssl.cnf. The name in there matches my
>> mail server.
>> 
>> The first time it connects in mac mail however, it says the certificate
>> is invalid and another server might pretend to be me etc.
> 
> This is to be expected for self-signed certificates. The MUA (Apple Mail
> in your case) cannot know that the certificate is trusted until you
> confirm it.
> 
> For certificates signed by third parties, the client (or OS) performs
> the same checks. If a chain of trust can be established based on the
> client/OS certificate store, which comes pre-populated with well-known
> third party CA certificates, allowing to verify certificate signatures,
> your MUA will trust the presented certificate without you confirming it.
> 
> I recommend you look into using a free Let's Encrypt certificate (see
> https://letsencrypt.org/) instead of a self-signed certificate.
> 
> -Ralph

Alef,

Certbot creates regular certificates that can be used by dovecot to get a
?validated? connection to the mailserver.
You obviously need to do the certbot walk to gain the certificate, but if you
have it, you can use it for dovecot.

Just refer to it in the configuration and you should be fine..

Cheers
Remko
> On 9 Aug 2017, at 17:49, Alef Veld <alefveld at outlook.com> wrote:
> 
> Thanks Ralph, i?ll look into that.
> 
> I think let?s encrypt uses certbot though and it can?t do email
certificates (although i?m sure i can convert the cert i get from let?s encrypt,
i?ll look into it.
>> On 9 Aug 2017, at 16:40, Ralph Seichter <m16+dovecot at
monksofcool.net> wrote:
>> 
>> On 09.08.2017 17:20, Alef Veld wrote:
>> 
>>> So i?m using dovecot, and i created a self signed certificate with
>>> mkcert.sh based on dovecot-openssl.cnf. The name in there matches
my
>>> mail server.
>>> 
>>> The first time it connects in mac mail however, it says the
certificate
>>> is invalid and another server might pretend to be me etc.
>> 
>> This is to be expected for self-signed certificates. The MUA (Apple
Mail
>> in your case) cannot know that the certificate is trusted until you
>> confirm it.
>> 
>> For certificates signed by third parties, the client (or OS) performs
>> the same checks. If a chain of trust can be established based on the
>> client/OS certificate store, which comes pre-populated with well-known
>> third party CA certificates, allowing to verify certificate signatures,
>> your MUA will trust the presented certificate without you confirming
it.
>> 
>> I recommend you look into using a free Let's Encrypt certificate
(see
>> https://letsencrypt.org/) instead of a self-signed certificate.
>> 
>> -Ralph
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20170809/0b295a8f/attachment.sig>

On 09.08.2017 17:49, Alef Veld wrote:
> I think let?s encrypt uses certbot though and it can?t do email
> certificates (although i?m sure i can convert the cert i get from
> let?s encrypt, i?ll look into it.
I'm not sure what you mean by "can?t do email certificates"? In
any
case, Let's Encrypt issues certificates that can be used by Dovecot
for IMAP and simultaneously by Apache or nginx for HTTPS and Postfix
for SMTP. The certificates are issued for servers, not for specific
software or protocols.

-Ralph

Cheers Remko and Ralph. I think there was some mention in the lets encrypt FAQ
that certbot doesn't do email.

But I understand I can use their generated very for dovecot, postfix and https?
That would be good indeed.

Anyone know of any manual, or can I just replace the certs in the dovecot and
postfix locations with theirs? Do dovecot, postfix and apache all support .pem
format?

Sent from my iPhone
> On 9 Aug 2017, at 17:07, Ralph Seichter <m16+dovecot at
monksofcool.net> wrote:
> 
>> On 09.08.2017 17:49, Alef Veld wrote:
>> 
>> I think let?s encrypt uses certbot though and it can?t do email
>> certificates (although i?m sure i can convert the cert i get from
>> let?s encrypt, i?ll look into it.
> 
> I'm not sure what you mean by "can?t do email certificates"?
In any
> case, Let's Encrypt issues certificates that can be used by Dovecot
> for IMAP and simultaneously by Apache or nginx for HTTPS and Postfix
> for SMTP. The certificates are issued for servers, not for specific
> software or protocols.
> 
> -Ralph