Let’s Encrypt with Exim and Dovecot

Following my post on setting up Let’s Encrypt with nginx, I experimented with installing the certificates from letsencrypt on my mail server. It was surprisingly straightforward. The key was that the verification of the domain, which requires port 80 or port 443 to be accessible on the host of the mail server. I run a secure mail server with Dovecot and Exim. Since on the server, nothing was hosted on port 80, I used the standalone plugin that runs a temporary standalone HTTP server for letsencrypt / certbot to access:

./certbot-auto certonly --standalone --standalone-supported-challenges http-01 -d mail.example.com

By default, standalone hosts the temporary web server on port 443, but I wanted to verify port 80 – which is what the –standalone-supported-challenges http-01 command does.

After running the command, the certificates were downloaded to /etc/letsencrypt and what remained was only a matter of changing the configs of Exim and Dovecot:

Exim 4:

tls_certificate = /etc/letsencrypt/live/mail.example.com/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/mail.example.com/privkey.pem


ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

One caveat that I found was that Exim could not read the certificate and private key on the default letsencrypt permissions. While not ideal, I needed loosen the permissions:

sudo chmod 711 /etc/letsencrypt/live
sudo chmod 711 /etc/letsencrypt/live/mail.example.com
sudo chmod 711 /etc/letsencrypt/archive
sudo chmod 711 /etc/letsencrypt/archive/mail.example.com
sudo chmod 744 /etc/letsencrypt/archive/mail.example.com/*

Lastly, I setup a cron job which will renew the certificate on expiry. Despite being in beta, Let’s Encrypt is proving to be quite stable and useful!

4 thoughts on “Let’s Encrypt with Exim and Dovecot

  1. Jonathan

    Check what UID your exim instance is running as; add that user to a group ssl-cert or similar (unless it’s already in one) and change the group of the cert files to that user, rather than opening them up to anyone.

  2. Max

    I had to assign group ssl-cert to /etc/letscrypt/archive and /etc/letscrypt/live paths with appropriate read permission, then enroll user Debian-exim into this group.

  3. piem

    Changing the permissions of the files in `/etc/letsencrypt` is really not advisable.

    For dovecot, no change is needed since the certificates are accessed as root.

    For exim, the following would be enough to let exim access thos files:

    # adduser Debian-exim www-data

    A safer approach would be to create a group and have both exim and www-data be part of it, but i’m not sure whether certbot will override the permissons on these folders. Something like that:

    # addgroup sslcerts
    # adduser www-data sslcerts
    # adduser Debian-exim ssl-certs
    # chgrp ssl-certs /etc/letsencrypt/{archive,live}

  4. chris

    you may even want a job to copy them or bind mount them somewhere else as I can see selinux or app amour causing a few issues otherwise

Leave a Reply

Your email address will not be published. Required fields are marked *