Good. I am going to focus on the IMAP configuration and worry about SMTP later. The following is the relevant documentation. This is very straightforward: https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/ My file 10-ssl.conf is untouched. However, this is the part that I would like to better understand: https://doc.dovecot.org/admin_manual/ssl/certificate_creation/ Before creating my own certificate (which I have done in the past for my old server), I am curious. Is there anything wrong with the one that comes with the distribution? ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem ssl_key = < /etc/pki/dovecot/private/dovecot.pem As I stated before, I am attempting to achieve the simplest installation possible which will be later tightened. Thanks! On 11/9/2020 11:52 PM, Nikolai Lusan wrote:> Greetings, > > On Mon, 2020-11-09 at 23:42 -0600, Raymond Herrera wrote: > > For several years I have been running the following in a Linux > > server. > > > Dovecot Version: 2.0.9 > > > *IMAP:* > > Connection Security: SSL/TLS > > Port: 993 > > Authentication Method: Normal Password > > > *SMTP:* > > Connection Security: STARTTLS > > Port: 587 > > Authentication Method: Normal Password > > Pretty standard setup. > > I my experience pretty much any client works with this setup. >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/6137ae08/attachment.html>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 2020-11-10 at 00:26 -0600, Raymond Herrera wrote:> Good. I am going to focus on the IMAP configuration and worry about > SMTP > later.Yeah, also the postfix list is probably more useful for the SMTP stuff, although having said that the two products integrate seemlessly.> The following is the relevant documentation. > This is very straightforward: > https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/ > > My file 10-ssl.conf is untouched. > > However, this is the part that I would like to better understand: > > https://doc.dovecot.org/admin_manual/ssl/certificate_creation/ > > Before creating my own certificate (which I have done in the past for > my > old server), I am curious. Is there anything wrong with the one that > comes with the distribution?The certificate which comes with either dovecot, or your distribution (in Debian it's "/etc/ssl/certs/ssl-cert-snakeoil.pem") is a self signed certificate, which most clients will force you to accept (permanently, or temporarily). Personally I am using Lets Encrypt ( https://letsencrypt.org/) wildcard certificates (since I am not just using them for email purposes), and I have scripts that restart the relevant services when the certificates get updated (LE cert are only valid for 90 days, and can be renewed at 60 days). Look into LE and the tools available for Linux, pick the one that works for you, I use acme.sh which I find easier to script around.> ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem > ssl_key = < /etc/pki/dovecot/private/dovecot.pemSo this is a public/private key pair. Just like for ssh, gpg, or many other cryptography related tools. The ssl_cert line is the public certificate, and the ssl_key line is the key used to create the sign the initial certificate request (the CRL is later signed by an issuer, in the case of the snakeoil certs this is seperate private key). There are a bunch more things worth tweaking in the ssl.conf file though :) - -- Nikolai Lusan <nikolai at lusan.id.au> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl+qSDgACgkQ4ZaDRV2V L6T50g/8C04Q4w6jwdId3+97Q+a/hRo1nqDA1Eq206c1z+Fp+Q1gE9YLMOCLkDql DxqXRFjDWgb1+TTtkr3SW1ZC2kcDAa+kKyQvBscCTPI6+FnLSiypTCP8OMZl047C fmUjGBDJyVtIuI99r3Bq4mZ4AEsEkhnktptEHicoEBQuTLFx9nDezws5ZsVjjmAX +OqjU+hdnrNMrcob9zwhdV9xY5dklYXg/g3RPivkg9ddKLE31QW4RVO1RuN0G/Qd xZlz3NEd/TO6PnouL010/HBIFUdrg/6fm9SZoVLgZqlqtoe2Af1G1RO2rtK2lWZY RPY3wgeBY9iluxXtPkSK9e4C746rRwhD/ccNmJyIhnhEEbZYCTziBSvb2Etq+4ky TMNPi0rsDu2FAQGfc6aXFDJMv3tsMSTZMUlOe05eHHc7y7J4AaeYq0n0nRwJnL40 aeyiQDgkeW6G9EYX3zBDRY98AnE11Ydpc/mNbf5VJBscysVEGHOKONl1Pomclu/f k8w9QL6SKPIhTpsGtQ3SvJvmyhnnwueUwCJWY0vpS4Gq71CAMks1RRJWNukQvPiX D1dEkkHTiXZNhmWjLvLXX0oQ/fL9sayxkG4MrwXbJCS1sAKqhVwaGdsf3Fxn2fV5 7olrMyPYhjT2Qn1dU8V7FN4cRMHknWqxwLaEo/03M6Cs4l6wvFo=D7tQ -----END PGP SIGNATURE-----
Thanks Nikolai, So far, I have concluded that the Dovecot distribution seems to be ready to be deployed with essentially no modification of configuration files. I am using CentOS 7 and sendmail. Raymond On 11/10/2020 1:58 AM, Nikolai Lusan wrote:> On Tue, 2020-11-10 at 00:26 -0600, Raymond Herrera wrote: > > Good. I am going to focus on the IMAP configuration and worry about > > SMTP > > later. > > Yeah, also the postfix list is probably more useful for the SMTP stuff, > although having said that the two products integrate seemlessly. > > > The following is the relevant documentation. > > This is very straightforward: > > https://doc.dovecot.org/admin_manual/ssl/dovecot_configuration/ > > > My file 10-ssl.conf is untouched. > > > However, this is the part that I would like to better understand: > > > https://doc.dovecot.org/admin_manual/ssl/certificate_creation/ > > > Before creating my own certificate (which I have done in the past for > > my > > old server), I am curious. Is there anything wrong with the one that > > comes with the distribution? > > The certificate which comes with either dovecot, or your distribution > (in Debian it's "/etc/ssl/certs/ssl-cert-snakeoil.pem") is a self > signed certificate, which most clients will force you to accept > (permanently, or temporarily). Personally I am using Lets Encrypt ( > https://letsencrypt.org/) wildcard certificates (since I am not just > using them for email purposes), and I have scripts that restart the > relevant services when the certificates get updated (LE cert are only > valid for 90 days, and can be renewed at 60 days). Look into LE and the > tools available for Linux, pick the one that works for you, I use > acme.sh which I find easier to script around. > > > ssl_cert = < /etc/pki/dovecot/certs/dovecot.pem > > ssl_key = < /etc/pki/dovecot/private/dovecot.pem > > So this is a public/private key pair. Just like for ssh, gpg, or many > other cryptography related tools. The ssl_cert line is the public > certificate, and the ssl_key line is the key used to create the sign > the initial certificate request (the CRL is later signed by an issuer, > in the case of the snakeoil certs this is seperate private key). > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/1854deba/attachment.html>