Just wanted to add this to the notes in case it helps anybody.
First, three rounds of thanks:
1. Of course, to DJB and everyone else who built this extraordinary software
2. to Eric B, for keeping the packages current on modern OSes… installation on
CentOS 7.2 was dizzyingly simple
3. To Jamie Lerner from the list here, who was extremely generous sharing the
details of her working setup with me… the process below is all hers, and all
credit to her. Thanks Jamie :)
This assumes you’ve got LetsEncrypt set up and installed and working already
for your web domain(s). I’m running nginx instead of apache for my web
services; I haven’t yet worked on making the qmailadmin functions accessible
over nginx because I’m comfortable with the command-line utilities. I’ll get to
it eventually.
I am migrating domains from an old qmailtoaster setup (based on Bill Shupp’s
version of the toaster from 10 or so years ago) to this new VM on DigitalOcean.
I did a couple of the smaller ones first just to test the process, and then
moved my main domain over the weekend. (I did accidentally destroy
deliverability to it by mistakenly including it in /var/qmail/control/locals…
don’t do that!)
You don’t need to get a cert for every vpopmail domain. Just do one for your
main domain, like “mail.domain.com”, and have your clients authenticate to it.
They can use their regular vpopmail credentials, but their inbound and outbound
domains will be “mail.domain.com” whatever their virtual domains are.
I needed to set up a website at mail.domain.com for the sole purpose of
obtaining the LetEncrypt certs; I’m not planning to use it for anything else.
There are other ways to get the certs, so you may not need to do this if you
choose another method.
BEFORE INSTALLING THE NEW CERTS, increase the softlimits in
/var/qmail/supervise/submission/run from 64000000 to 128000000. Although auth
initially worked with the default setup, vchkpw started segfaulting immediately
when I installed the letsencrypt certs, and authentication was impossible. That
was the fix.
Finally, to install the certs, first backup the self-signed cert that was
created as part of the qmailtoaster install in case you need it:
cd /var/qmail/control
cp -a servercert.pem servercert.pem-toaster-backup
Then concatenate the certs from your letsencrypt folder into a new cert:
cat
/etc/letsencrypt/archive/YOUR-MAIL-DOMAIN/{cert1,chain1,fullchain1,privkey1}.pem
> servercert.pem
Make sure the permissions and ownership are correct:
chmod 640 servercert.pem
chown vpopmail.vchkpw servercert.pem
And restart qmail and dovecot (not completely sure if this is necessary, just
playing it safe)
qmailctl restart
systemctl restart dovecot
And that’s it! Working for me.
Thanks again to all involved with this project, and again to Jamie Lerner to
taking the time to answer my questions, way above and beyond.
- Steve Linberg
--
Steve Linberg, Chief Goblin
Silicon Goblin Technologies
http://silicongoblin.com
Be kind. Remember, everyone you meet is fighting a hard battle.
