On 22/4/22 7:50 am, Jeremy Ardley wrote:
On 22/4/22 7:44 am, [email protected] wrote:Probably a bad idea. Many clients use STARTTTLS on port 143 rather than TLS on port 993On 22/4/22 7:25 am,[email protected] wrote:Thanks. I will give a try. after enabling SSL, can I disable port 143 entirely?
I forgot to mention that in /etc/dovecot/dovecot.conf you don't need to specify imaps. Dovecot automatically listens on port 993 and 143 when ssl is specified and applies the ssl directive as indicated.
#global
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pe
protocols = imap lmtp sieve
#specific domain override
local mail.example.com {
protocol imap {
ssl_cert = </etc/letsencrypt/live/special.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/special.example.com/privkey.pem
}
}
It is possible to generate a wildcard letsencrypt certificate
*.example.com but the process is tricky and has unexpected side-effects
such as typo.example.com resolves to example.com in DNS
-- Jeremy
OpenPGP_signature
Description: OpenPGP digital signature
