Following my post on setting up Let’s Encrypt with nginx, I experimented with installing the certificates from letsencrypt on my mail server. It was surprisingly straightforward. The key was that the verification of the domain, which requires port 80 or port 443 to be accessible on the host of the mail server. I run a secure mail server with Dovecot and Exim. Since on the server, nothing was hosted on port 80, I used the standalone plugin that runs a temporary standalone HTTP server for letsencrypt / certbot to access:
./certbot-auto certonly --standalone --standalone-supported-challenges http-01 -d mail.example.com
By default, standalone hosts the temporary web server on port 443, but I wanted to verify port 80 – which is what the –standalone-supported-challenges http-01 command does.
After running the command, the certificates were downloaded to /etc/letsencrypt and what remained was only a matter of changing the configs of Exim and Dovecot:
tls_certificate = /etc/letsencrypt/live/mail.example.com/fullchain.pem tls_privatekey = /etc/letsencrypt/live/mail.example.com/privkey.pem
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
One caveat that I found was that Exim could not read the certificate and private key on the default letsencrypt permissions. While not ideal, I needed loosen the permissions:
sudo chmod 711 /etc/letsencrypt/live sudo chmod 711 /etc/letsencrypt/live/mail.example.com sudo chmod 711 /etc/letsencrypt/archive sudo chmod 711 /etc/letsencrypt/archive/mail.example.com sudo chmod 744 /etc/letsencrypt/archive/mail.example.com/*
Lastly, I setup a cron job which will renew the certificate on expiry. Despite being in beta, Let’s Encrypt is proving to be quite stable and useful!