<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Mein mailserver meldet mir in letzter Zeit fast immer, wenn das Zertifikat, das er zuletzt benutzt hat, ausgelaufen ist, daß das es<div class="">ausgelaufen sei und Apple Mail sagt dann, daß die Serveridentität nicht überprüft werden kann. Dadurch werde ich dann immer alarmiert und dann ist schon gleich Panik an dem Tag.</div><div class=""><br class=""></div><div class="">Ich also rein in meinen Server, geguckt und sehe, daß certbot artig aktuelle Zertifikate plaziert hat.</div><div class=""><br class=""></div><div class="">Warum also nimmt dovecot nicht die aktuellen, denn sie sind ja jeweils symbolisch verlinkt mit f diejenigen in</div><div class="">/etc/letsencrypt/live/<a href="http://domain.org/fullchain.pem" class="">domain.org/fullchain.pem</a> </div><div class=""><br class=""></div><div class="">Hier Auszug aus meiner 10-ssl.conf</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">##</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">## SSL settings</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">##</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; background-color: rgb(255, 255, 255); min-height: 12px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""># SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">#ssl = yes</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; background-color: rgb(255, 255, 255); min-height: 12px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><br class=""></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""># PEM encoded X.509 SSL/TLS certificate and private key. They're opened before</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""># dropping root privileges, so keep the key file unreadable by anyone but</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""># root. Included doc/mkcert.sh can be used to easily generate self-signed</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(60, 0, 0); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""># certificate, just make sure to update the domains in dovecot-openssl.cnf</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(0, 160, 40); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ssl_cert = </etc/letsencrypt/live/<a href="http://mail.meine.org/fullchain.pem" class="">mail.meine.org/fullchain.pem</a></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(0, 160, 40); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ssl_key = </etc/letsencrypt/live/<a href="http://mail.meine.org/privkey.pem" class="">mail.meine.org/privkey.pem</a></span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "Courier New"; color: rgb(0, 160, 40); background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">ssl_ca =</span></div></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Ich nehme doch an, daß dovecot das frontend zum imap-Service ist.</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Hat dovecot die alte cert-Datei gelockt, so daß die von certbot eingespielte aktuelle nicht genommen wird?</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Grüße</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Christoph Kukulies</span></div></body></html>