Secure Kolab with Let’s Encrypt [Obsolete]

Published by Mads Petersen on

After having configured Kolab, you probably want to secure it with SSL/TLS. This article describes how to do that with certificates from Let’s Encrypt.

If the file /etc/httpd/conf.d/ssl.conf exist, then remove or rename it.

Install certbot:

# yum install certbot
# yum install certbot-apache

Create the config file: /etc/httpd/conf.d/<domain.tld>.conf:

<VirtualHost *:80>
ServerName <domain.tld>
ServerAlias *.<domain.tld>
DocumentRoot "/usr/share/roundcubemail/public_html"
</VirtualHost>

Restart httpd:

# systemctl restart httpd

Create the certificates:

# certbot -d <domain.tld> --apache

Note: Certbot is having troubles using apachectl on CentOS7. Until this issue is fixed through an update, this can be worked around:

In the file /usr/lib/python2.7/site-packages/certbot_apache/_internal/override_centos.py

change the lines:

ctl="apachectl", 
version_cmd=['apachectl', '-v'],

into:

ctl="httpd",
version_cmd=['httpd', '-v'],

In the file /usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py

comment out the 3 lines:

# self.options["version_cmd"][0] = self.option("ctl")
# self.options["restart_cmd"][0] = self.option("ctl")
# self.options["conftest_cmd"][0] = self.option("ctl")

Create certificate bundle:

# cat /etc/letsencrypt/live/<domain.tld>/cert.pem /etc/letsencrypt/live/<domain.tld>/privkey.pem /etc/letsencrypt/live/<domain.tld>/fullchain.pem > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem 
# chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem

Add to /etc/imapd.conf:

tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
tls_server_ca_file: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem

As the postfix certificate needs a different owner, copy the bundle to a different file:

# cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
# chown postfix:mail /etc/pki/tls/private/postfix.pem
# chmod 655 /etc/pki/tls/private/postfix.pem

In postfix/main.cf set:

smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
smtpd_tls_cert_file = /etc/pki/tls/private/postfix.pem

Restart imapd, postfix and httpd:

# systemctl restart cyrus-imapd postfix httpd

Check the certificate:

# openssl s_client -connect 127.0.0.1:993 -servername <domain.tld>
Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

Generic Client Settings

Open Standards As long as your client application is using standard protocols supported by Kolab, it can be used to connect to Kolab. Below is an overview of the various protocols we support along with Read more…

Uncategorized

Connecting Android to a Kolab server via ActiveSync

The world is full of Android apps and a large number of these are email clients. App creators are very creative, and it is not all clients that stick to the standards. For the purpose Read more…

Uncategorized

Connecting an iPhone to a Kolab server via ActiveSync

This article will guide you through the process of connecting an iPhone client via ActiveSync to a Kolab server.