Let's encrypt with postfix / dovecot/courier / ftp

Discussion in 'General' started by Hirbod, Aug 12, 2016.

  1. Hirbod

    Hirbod New Member

    is there any good solution how to use ISPConfig to secure FTP(S), Postfix, Dovecot/Courier?
    Currently, I've placed my purchased certs inside of /etc/ssl/ and used the softwares default path to grab the certificates, but I would love to have the ability to include Let's Encrypt without the hassle of renewing manually. I could create some subdomains and copy the content of the certs, but this is again a lot of work. And if I change the config of the services to point to the ssl cert which are created under client/....ssl/, i have to renew the paths every time I update or reconfigure some services.

    Is there any good approach with 0 headaches?
  2. you could create a symlink to the client/..../ssl/ certs and keep the config as is.

    That could be a 0 headaches solution?
  3. Hirbod

    Hirbod New Member

    @Rein van 't Veer that wouldn't work, as the names are different. The config would change when I reconfigure them or when major updates arrive which have to change the config-files.

    Actually, the best thing would be, if ISPConfig would patch them automatically and insert the right paths (and re-inject the values, when there was an update)
  4. Hirbod

    Hirbod New Member

    After digging around a bit, I finally decided to go that smylink-way now. As ISPConfig will save /etc/ on updates, I can quickly re-add the ssl lines into postfix.conf and dovecot.conf.

    I created a


    symlink inside /etc/postfix which linked to
    ln -s smtpd.cert /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
    ln -s smtpd.key /etc/letsencrypt/live/mail.mydomain.com/privkey.pem

    as Let's Encrypt is just fully trusted with complete chain (X3 authority alone isn't trustworthy, DST cross-signing required to prevent Thunderbird/Apple Mail alerts)
    I linked dovecot to use the same symlinks inside /etc/postfix - et voila. It works. A bit hacky but fair enough for a free SSL
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    When you update your ispconfig control panel server, just answer NO to the question asking if it should generate a new SSL certificate, and your symlinks will stay in tact. I accidentally answered YES there once and it did break the letsencrypt setup, but just recreate the symlinks again and it'll be back; I've answered NO through many updates and the symlinks stay. That's as good as you can do, and pretty tolerable, until the ispconfig installer gets letsencrypt support.

Share This Page