Let’s Encrypt with Exim and Dovecot

I experimented with installing the certificates from letsencrypt on my mail server. It was surprisingly straightforward. The key was that the verification of the domain, which requires port 80 or port 443 to be accessible on the host of the mail server. I run a secure mail server with Dovecot and Exim. Since on the server, nothing was hosted on port 80, I used the standalone plugin that runs a temporary standalone HTTP server for letsencrypt / certbot to access:

  1. ./certbot-auto certonly –standalone -d mail.example.com

After running the command, the certificates were downloaded to /etc/letsencrypt and what remained was only a matter of changing the configs of Exim and Dovecot:

Exim 4:

  1. tls_certificate = /etc/letsencrypt/live/mail.example.com/fullchain.pem
  2. tls_privatekey = /etc/letsencrypt/live/mail.example.com/privkey.pem

Dovecot:

  1. ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
  2. ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

One caveat that I found was that Exim could not read the certificate and private key on the default letsencrypt permissions. While not ideal, I needed loosen the permissions:

  1. sudo chmod 711 /etc/letsencrypt/live
  2. sudo chmod 711 /etc/letsencrypt/live/mail.example.com
  3. sudo chmod 711 /etc/letsencrypt/archive
  4. sudo chmod 711 /etc/letsencrypt/archive/mail.example.com
  5. sudo chmod 744 /etc/letsencrypt/archive/mail.example.com/*

Lastly, I setup a cron job which will renew the certificate on expiry. Despite being in beta, Let’s Encrypt is proving to be quite stable and useful!

Source and credit: https://loune.net