Secure Kolab with Let’s Encrypt [Obsolete]

Published by Mads Petersen on

After having configured Kolab, you probably want to secure it with SSL/TLS. This article describes how to do that with certificates from Let’s Encrypt.

If the file /etc/httpd/conf.d/ssl.conf exist, then remove or rename it.

Install certbot:

# yum install certbot
# yum install certbot-apache

Create the config file: /etc/httpd/conf.d/<domain.tld>.conf:

<VirtualHost *:80>
ServerName <domain.tld>
ServerAlias *.<domain.tld>
DocumentRoot "/usr/share/roundcubemail/public_html"
</VirtualHost>

Restart httpd:

# systemctl restart httpd

Create the certificates:

# certbot -d <domain.tld> --apache

Note: Certbot is having troubles using apachectl on CentOS7. Until this issue is fixed through an update, this can be worked around:

In the file /usr/lib/python2.7/site-packages/certbot_apache/_internal/override_centos.py

change the lines:

ctl="apachectl", 
version_cmd=['apachectl', '-v'],

into:

ctl="httpd",
version_cmd=['httpd', '-v'],

In the file /usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py

comment out the 3 lines:

# self.options["version_cmd"][0] = self.option("ctl")
# self.options["restart_cmd"][0] = self.option("ctl")
# self.options["conftest_cmd"][0] = self.option("ctl")

Create certificate bundle:

# cat /etc/letsencrypt/live/<domain.tld>/cert.pem /etc/letsencrypt/live/<domain.tld>/privkey.pem /etc/letsencrypt/live/<domain.tld>/fullchain.pem > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem 
# chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem

Add to /etc/imapd.conf:

tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
tls_server_ca_file: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem

As the postfix certificate needs a different owner, copy the bundle to a different file:

# cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
# chown postfix:mail /etc/pki/tls/private/postfix.pem
# chmod 655 /etc/pki/tls/private/postfix.pem

In postfix/main.cf set:

smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
smtpd_tls_cert_file = /etc/pki/tls/private/postfix.pem

Restart imapd, postfix and httpd:

# systemctl restart cyrus-imapd postfix httpd

Check the certificate:

# openssl s_client -connect 127.0.0.1:993 -servername <domain.tld>
Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Install containerized Kolab with k3s

Kolab can be deployed via k3s for a single host installation. Please note that this deployment does not come with support, and is not suitable for large production deployments as it does not scale beyond Read more…

Uncategorized

DNS configuration for Kolab

A standard single host kolab deployment will require a DNS configuration like this: Please note, this is an example that needs to be adjusted to the installation:

Uncategorized

Install containerized Kolab with podman

Kolab can be deployed via podman for a single host installation. Please note that this deployment does not come with support, and is not suitable for large production deployments as it does not scale beyond Read more…