Wichtige Info

Die Inhalte, die du hier siehst stelle ich dir ohne Werbeanzeigen und ohne Tracking deiner Daten zur Verfügung. Trotzdem muss ich die Server bezahlen sowie Zeit in Recherche, Umsetzung sowie Mail Support stecken.
Um dies leisten zu können, verlinke ich in einigen Artikeln auf die Plattform Amazon. Alle diese Links nennen sich Afiliate Links. Wenn du dir mit diesem Link etwas kaufst, dann erhalte ich eine kleine Provision. Dies ändert jedoch NICHT den Preis, den du bezahlst!
Falls du mich also unterstützen möchtest, kannst du auf den Link zum Produkt klicken und hilfst mir dabei, dieses Hobby weiter zu betreiben.
Da ich Keine Werbung schalte und keine Spenden sammle, ist dies die einzige Möglichkeit, meine Systeme und mich zu finanzieren. Ich hoffe du kannst das verstehen :)


Use Dovecot Imap Server with different TLS/SSL certificates


Introduction

I have been operating a separate mail server for several years, which hosts all my domains. Since I'm the only one on this mail server, I've always used a certificate for all domains until some time ago. However, the disadvantage of this was that I have always received a warning message from the other accounts.

There are simple ways, such as managing Certbot Zerttifikate for such a server, but nothing is installed on my mail server, except the mail software. Accordingly, the firewall is also set, not even SSH speaks this server easily so that I can operate the server as safely as possible.

I have now built up a central certificate server two months ago, which manages and distributes all my certificates, which is why I can now roll out significantly simple certificates on my mail server without having to install additional software, which is why I decided to use a separate certificate for each domain.

This post shows how to adjust a corresponding configuration in Dovecot, so there is no longer a warning in the e-mail program of the choice.

Main part

To adjust the configuration of the SSL configuration, you can either use the main configuration file or use the SSL configuration file. Since I have a very simple IMAP server without a Schnack, I have my configuration centrally in the main configuration file under /etc/dovecot/dovecot.conf in this the TLS configuration must be created. In principle, for example, this looks as follows: (the "<" must be mandatory for the path information so that the content of the file is inserted!)

###
### TLS Config
#######################
#Default SSL certificate for pure-smart.de
#Local_name Certs for other domains not covered by default

ssl = required
ssl_cert = </etc/certs/pure-smart.de/cert.pem
ssl_key = </etc/certs/pure-smart.de/key.pem
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes
ssl_dh = </etc/dovecot/diffieh.pem

This configuration is enough if you only want to manage a domain or the warning is not a problem for you. You'd be done with that.

In my case, however, there should be a separate certificate for each domain and there is the "local_name" directive, which allows domain-based certificates to be used. To use your own certificates for certain domains, add the following per domain:

local_name imap.second-domain.de {
    ssl_cert = </etc/certs/nodework.de/cert.pem
    ssl_key = </etc/certs/nodework.de/key.pem
}

For each domain that is not to be used with the standard certificate (which is first specified under TLS-Config), a local_name is now created and a separate certificate is handed over. Also note here the "<" at the beginning, this is IMPORTANT!

Once done, Dovevot can be restarted and the certificates are now used. In the local_names, the other TLS settings can also be used, however, as I have secure default settings, this is not necessary for me. For example, if you want to support older mail clients for a specific domain, other Ciphers could be defined in the local name.

Final

As always, it should be noted that the settings can change. I wait for my mail server every update and check if there are important adjustments (including automated tools). If you do not do this, you should always check the settings to see if they are still up to date when you read this:)

You can ask me a question Mail send.

Back…