Let's encrypt with postfix / dovecot/courier / ftp

Discussion in 'General' started by Hirbod, Aug 12, 2016.

  1. Hirbod

    Hirbod New Member

    Hi,
    is there any good solution how to use ISPConfig to secure FTP(S), Postfix, Dovecot/Courier?
    Currently, I've placed my purchased certs inside of /etc/ssl/ and used the softwares default path to grab the certificates, but I would love to have the ability to include Let's Encrypt without the hassle of renewing manually. I could create some subdomains and copy the content of the certs, but this is again a lot of work. And if I change the config of the services to point to the ssl cert which are created under client/....ssl/, i have to renew the paths every time I update or reconfigure some services.

    Is there any good approach with 0 headaches?
     
  2. you could create a symlink to the client/..../ssl/ certs and keep the config as is.

    That could be a 0 headaches solution?
     
  3. Hirbod

    Hirbod New Member

    @Rein van 't Veer that wouldn't work, as the names are different. The config would change when I reconfigure them or when major updates arrive which have to change the config-files.

    Actually, the best thing would be, if ISPConfig would patch them automatically and insert the right paths (and re-inject the values, when there was an update)
     
  4. Hirbod

    Hirbod New Member

    After digging around a bit, I finally decided to go that smylink-way now. As ISPConfig will save /etc/ on updates, I can quickly re-add the ssl lines into postfix.conf and dovecot.conf.

    I created a

    smtpd.cert
    smtpd.key

    symlink inside /etc/postfix which linked to
    ln -s smtpd.cert /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
    ln -s smtpd.key /etc/letsencrypt/live/mail.mydomain.com/privkey.pem

    as Let's Encrypt is just fully trusted with complete chain (X3 authority alone isn't trustworthy, DST cross-signing required to prevent Thunderbird/Apple Mail alerts)
    I linked dovecot to use the same symlinks inside /etc/postfix - et voila. It works. A bit hacky but fair enough for a free SSL
     
  5. Jesse Norell

    Jesse Norell Active Member

    When you update your ispconfig control panel server, just answer NO to the question asking if it should generate a new SSL certificate, and your symlinks will stay in tact. I accidentally answered YES there once and it did break the letsencrypt setup, but just recreate the symlinks again and it'll be back; I've answered NO through many updates and the symlinks stay. That's as good as you can do, and pretty tolerable, until the ispconfig installer gets letsencrypt support.
     

Share This Page