Securing imap with Letsencrypt

benjamin.boudoir at free.fr benjamin.boudoir at free.fr
Wed Aug 1 11:05:08 CEST 2018


Hi,

Le 01/08/2018 09:18, Milan Petrovic a écrit :
> Hi all,
> 
> I'm running a multidomain Kolab setup on Ubuntu, with Nginx.
> I'm trying to make cyrus-imap to use the Letsencrypt certificates
> without any success (the certs are working fine on the Nginx part,
> also working fine for Active-sync connections).
> The certificates are stored in /etc/letsencrypt/archive/my_domain/,
> chmoded to 640, owned by root (I have tried to have them owned by a
> group 'mail' or 'ssl-cert', nothing happens).
> Whenever I point the "tls_client_ca_file", "tls_server_cert" and
> "tls_server_key" of imapd.conf to letsencrypt certs, I get in the logs
> the following:
> Aug  1 02:10:50 collab imaps[28524]: unable to get certificate from
> '/etc/letsencrypt/archive/my_domain/cert6.pem'
> Aug  1 02:10:50 collab imaps[28524]: TLS server engine: cannot load
> server cert/key data.
> Aug  1 02:10:50 collab imaps[28524]: error initializing TLS
> Aug  1 02:10:50 collab imaps[28524]: Fatal error: tls_init() failed

I do it too.

You used to have the following users in your group :
- cyrus
- postfix

And have group rights at least to "read" (+r) on your certificates.

Note that the folders sort of inherits the permissions from upper 
folders, they have to be readeable (+r) and crossable (+x) by your group 
too.

You may debug it simply by switching as they (like: su - cyrus 
--shell=/bin/sh) and do some ls/cat to find what "breaks" the 
authorization.

> At some point in the past I see I have commented out the ldap
> configuration from the imapd.conf, not sure when and why (both the
> base ldap configuration and the addition at the end for the
> multidomain setup), but uncommenting it makes the login within
> roundcube unsuccessful.

Your users might be stored in cyrus instead of LDAP. In that case, 
that's normal you can't log by LDAP because all your setup might depend 
of IMAP authentication.

> Please help.
> 
> Thanks, Milan
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users


More information about the users mailing list