Deze manual is bedoelt voor een multiserver setup van ispconfig waar je met meerdere domeinnamen secure wilt inloggen voor je email.
apt-get install certbot -t jessie-backports
Dan moet je de volgende lin uitvoeren met alle namen die op de server uit komen.
certbot auth --text --agree-tos --standalone --email postmaster@`hostname -d` -d `hostname -f` -d mail.`hostname -f` -d mail.xxx.yyy
Als laatste moet je een symlink maken van de plek waar postfix en dovecot de certificaten verwachten en de werkelijke plek.
ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem /etc/postfix/smtpd.key
ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem /etc/postfix/smtpd.cert
En de programmas herstarten
systemctl restart dovecot
systemctl restart postfix
Vervolgens moet je na elke update van het certificaat postfix en dovecot herstarten, het volgende script doet dat voor je:
/usr/local/sbin/letsencrypt-for-mail.sh
#!/bin/bash
# letsencrypt-for-mail.sh: compares the ssl certficate served by dovecot
# and postfix with the current certificate issued by letsencrypt,
# and restart the mail system if they differ
# this can be run as a cronjob to propogate letsencrypt certificate changes
# to the running mail services
LE_DIR=/etc/letsencrypt/live/`hostname -f`
LE_CA=${LE_DIR}/chain.pem
LE_CERT=${LE_DIR}/cert.pem
LE_KEY=${LE_DIR}/privkey.pem
OPENSSL=`which openssl 2>/dev/null | head -1`
# Check if letsencrypt has been setup
if [ ! -f ${LE_CA} -o ! -f ${LE_CERT} -o ! -f ${LE_KEY} ]
then
echo "Letsencrypt files not found. You must setup letsencrypt and issue a certificate first." 1>&2
exit 0
fi
# Check openssl binary exists
if [ ! -f ${OPENSSL} ]
then
echo "Cannot find openssl. Exiting." 1>&2
exit 1
fi
le_serial=`${OPENSSL} x509 -noout -serial -in ${LE_CERT}`
smtp_serial=`${OPENSSL} s_client -connect localhost:25 -starttls smtp /dev/null | ${OPENSSL} x509 -serial -noout`
pop3_serial=`${OPENSSL} s_client -connect localhost:110 -starttls pop3 /dev/null | ${OPENSSL} x509 -serial -noout`
imap_serial=`${OPENSSL} s_client -connect localhost:143 -starttls imap /dev/null | ${OPENSSL} x509 -serial -noout`
imaps_serial=`${OPENSSL} s_client -connect localhost:993 /dev/null | ${OPENSSL} x509 -serial -noout`
pop3s_serial=`${OPENSSL} s_client -connect localhost:995 /dev/null | ${OPENSSL} x509 -serial -noout`
# if a service is down, this certificate verification will fail;
# we'll only restart services if they are actually running
function restart_postfix_if_running() {
/etc/init.d/postfix status 2>/dev/null >/dev/null
if [ $? -eq 0 ]
then
/etc/init.d/postfix restart >/dev/null
fi
}
function restart_dovecot_if_running() {
/etc/init.d/dovecot status 2>/dev/null >/dev/null
if [ $? -eq 0 ]
then
/etc/init.d/dovecot restart >/dev/null
fi
}
if [ "${le_serial}" != "${smtp_serial}" ]
then
restart_postfix_if_running
fi
if [ "${le_serial}" != "${pop3_serial}" -o "${le_serial}" != "${imap_serial}" -o "${le_serial}" != "${imaps_serial}" -o "${le_serial}" != "${pop3s_serial}" ]
then
restart_dovecot_if_running
fi
exit 0
En de bijbehorende cronjob:
# cat <
15 3 * * * root /usr/local/sbin/letsencrypt-for-mail.sh
EOF
chmod +x /usr/local/sbin/letsencrypt-for-mail.sh