Using Let's Encrypt Certificates for Mail and other Apps
Background
There is a Let's Encrypt app which enables you to get free SSL certificates for use on your Web Sites or for use in the Webconfig. With very minor changes it is possible to use a Let's Encrypt certificate in the mail apps - SMTP server (postfix), POP and IMAP server (cyrus-imapd), Zarafa and Kopano.
Let's Encrypt maintains four symlinks for each certificate requested:
/etc/letsencrypt/live/your_FQDN/cert.pem
This is the basic certificate
/etc/letsencrypt/live/your_FQDN/chain.pem
The chain file, also known as the intermediate certificate links the cert.pem back to the Let's Encrypt root CA (which is not held in the Let's Encrypt app)
/etc/letsencrypt/live/your_FQDN/fullchain.pem
This is a combination of the chain.pem file and cert.pem file
/etc/letsencrypt/live/your_FQDN/privkey.pem
This is your private key for your certificate
The Let's Encrypt app keeps these symlinks always pointing to the latest certificate files under /etc/letsencrypt/archive/your_FQDN
Requirements
Before you can make these changes, you must already have Let's Encrypt certificates which cover the (sub-)domain(s) you are going to use for your e-mail server. As an idea, typical subdomains are smtp.example.com, pop.example.com, imap.example.com and mail.example.com but they do not have to be one of those. You can even just use example.com. You can have separate domains for the incoming and outgoing servers or just a single domain for both.
For the Howto I will assume smtp.example.com and imap.example.com are the subdomains. I also assume that the certificates obtained were for the Primary Domains of smtp.example.com and imap.example.com. If the certificate was for a different Primary Domain and smtp.example.com and imap.example.com were listed as Other Domains when creating the certificates, use the Primary Domain name in the configurations below instead.
Configuration
Let's Encrypt
chown root:ssl-cert /etc/letsencrypt/live /etc/letsencrypt/archive chmod 0750 /etc/letsencrypt/live /etc/letsencrypt/archive
chown root:ssl-cert /etc/letsencrypt/live/privkey.pem -R chmod g+r /etc/letsencrypt/live/privkey.pem -R
chown root:ssl-cert /etc/letsencrypt/live/{your_certificate_name}/privkey.pem chmod g+r /etc/letsencrypt/live/{your_certificate_name}/privkey.pem
and substitute your certificate name for {your_certificate_name}.
SMTP Server (postfix):
Add the following to /etc/postfix/main.cf:
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/smtp.example.com/privkey.pem
Add the postfix user to the ssl-cert group:
usermod -a -G ssl-cert postfix
Then restart postfix:
systemctl restart postfix.service
Now to force postfix to restart to read the new certificates each time they are updated by creating a file /var/clearos/events/lets_encrypt/postfix with 0755 permission and the following contents:
#!/bin/sh sleep 10 systemctl condrestart postfix.service
If you copy and paste the following into a terminal this will create the file correctly for you:
echo '#!/bin/sh' > /var/clearos/events/lets_encrypt/postfix echo >> /var/clearos/events/lets_encrypt/postfix echo 'sleep 10' >> /var/clearos/events/lets_encrypt/postfix echo >> /var/clearos/events/lets_encrypt/postfix echo 'systemctl condrestart postfix.service' >> /var/clearos/events/lets_encrypt/postfix chmod 0755 /var/clearos/events/lets_encrypt/postfix
POP and IMAP Server (cyrus-imapd):
Change the following in /etc/imapd.conf:
tls_key_file: /etc/letsencrypt/live/imap.example.com/privkey.pem tls_cert_file: /etc/letsencrypt/live/imap.example.com/fullchain.pem
Add the cyrus user to the ssl-cert group:
usermod -a -G ssl-cert cyrus
Then restart cyrus-imapd:
systemctl restart cyrus-imapd.service
Now to force cyrus-imapd to restart to read the new certificates each time they are updated by creating a file /var/clearos/events/lets_encrypt/cyrus-imapd with 0755 permission and the following contents:
#!/bin/sh sleep 10 systemctl condrestart cyrus-imapd.service
If you copy and paste the following into a terminal this will create the file correctly for you:
echo '#!/bin/sh' > /var/clearos/events/lets_encrypt/cyrus-imapd echo >> /var/clearos/events/lets_encrypt/cyrus-imapd echo 'sleep 10' >> /var/clearos/events/lets_encrypt/cyrus-imapd echo >> /var/clearos/events/lets_encrypt/cyrus-imapd echo 'systemctl condrestart cyrus-imapd.service' >> /var/clearos/events/lets_encrypt/cyrus-imapd chmod 0755 /var/clearos/events/lets_encrypt/cyrus-imapd
Zarafa
Zarafa Webapp uses the Apache web server. This makes configuring Let's Encrypt certificates trivial and can be done through the Webconfig interface. Navigate to Server –> Web Server and configure your default website, ensuring you select your Let's Encrypt certificate that will be used to access Zarafa webapp (eg. https://mail.example.com/webapp).
Since Apache also hosts the z-push (Active Sync), configuring your web server to use these certificates will extend out to this service as well without additional changes.
POP3S/IMAPS
In order to use the Let's Encrypt certificates when connecting via POP3S or IMAPS from mail clients, you will need to make some changes to the following file: /etc/zarafa/gateway.cfg
ssl_private_key_file = /etc/letsencrypt/live/example.com/privkey.pem ssl_certificate_file = /etc/letsencrypt/live/example.com/fullchain.pem
Add the zarafa user to the ssl-cert group:
usermod -a -G ssl-cert zarafa
Once done, be sure to restart Zarafa Gateway service:
systemctl restart zarafa-gateway.service
Now to force zarafa-gateway to restart to read the new certificates each time they are updated by creating a file /var/clearos/events/lets_encrypt/zarafa-gateway with 0755 permission and the following contents:
#!/bin/sh sleep 10 systemctl condrestart zarafa-gateway.service
If you copy and paste the following into a terminal this will create the file correctly for you:
echo '#!/bin/sh' > /var/clearos/events/lets_encrypt/zarafa-gateway echo >> /var/clearos/events/lets_encrypt/zarafa-gateway echo 'sleep 10' >> /var/clearos/events/lets_encrypt/zarafa-gateway echo >> /var/clearos/events/lets_encrypt/zarafa-gateway echo 'systemctl condrestart cyrus-imapd.service' >> /var/clearos/events/lets_encrypt/zarafa-gateway chmod 0755 /var/clearos/events/lets_encrypt/zarafa-gateway
Kopano
The Kopano instructions are identical to the above Zarafa changes necessary, except, of course, with the Zarafa path and service names replace with Kopano.
PlexMediaServer
Create a file /var/clearos/events/lets_encrypt/plex and in it put:
#!/bin/sh openssl pkcs12 -export -password pass:" \ -out /var/lib/plexmediaserver/certificate.pfx \ -inkey /etc/letsencrypt/live/example.com/privkey.pem \ -in /etc/letsencrypt/live/example.com/fullchain.pem chown plex:plex /var/lib/plexmediaserver/certificate.pfx sleep 10 systemctl condrestart plexmediaservice
Change example.com to your certificate name. You can change the password if you want. Make the file executable:
chmod 0755 /var/clearos/events/lets_encrypt/plex
And run it once to create the certificate in pkcs12 format:
/var/clearos/events/lets_encrypt/plex
In the Plex Dashboard go to Settings > Network > Show Advanced and:
- set “Custom certificate location” to /var/lib/plexmediaserver/certificate.pfx
- set “Custom certificate encryption key” to “plexmediaserver” (or whatever you used)
- set “Custom certificate domain” to a domain covered by your certificate. Set “Secure connections” to either “Preferred” or “Required”.
Then save your changes.
Multiple Let's Encrypt certificates
If you have multiple Let's Encrypt certificates, then each time any certificate renews, the apps for which you've created events files will restart. As this happens overnight it typically does not matter. If you want to restrict the app restart to happening only with a particular certificate you can put the restart operation inside an “if” statement. Using postfix as an example, you'd change:
#!/bin/sh sleep 10 systemctl condrestart postfix.service
to:
#!/bin/sh if [ "$(basename $RENEWED_LINEAGE )" = "www.example.com" ]; then sleep 10 systemctl condrestart postfix.service fi
Obviously changing www.example.com to your certificate name - the folder name in /etc/letsencrypt/live.