letsencrypt

How it works

Uses the acme.sh utility to validate and install TLS certificates from Let's Encrypt.

. mail-toaster.sh && provision letsencrypt

Sample output

More Info

There are three vhosts where certs are installed:

Haraka (smtp)
- /data/haraka/config/tls
Dovecot (IMAP & POP3)
- /data/dovecot/etc/ssl
Haproxy (HTTP)
- /data/haproxy/ssl.d/

Haproxy and Haraka will load and use all the certificates found in their respective TLS directories. Haproxy supports live reloads of TLS certificates. Restarting Dovecot and Haraka is required to add new certs.

Dovecot requires configuration for each certificate (vhost). See the Dovecot SSL docs and especially the bits about SNI

Limitations

Requires running the haproxy and webmail services. acme.sh will create a token file and send the request to the certificate signer. The authentication response will be a HTTP request on port 80. Haproxy will route the request to the webmail jail.
Firewalls: if a network device is blocking port 80 requests to your server, this step will not work.

Testing TLS configuration

High Tech Bridge SSL Server Test
SSL Labs Server Test (https only)
Cipherli.st
openssl
- openssl s_client -connect mail.example.com:587 -starttls smtp -tlsextdebug -status
- openssl s_client -connect mail.example.com:993 -servername mail.another-example.com

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

letsencrypt

How it works

More Info

Limitations

Testing TLS configuration

Mail Toaster 6

Clone this wiki locally