Letsencrypt certificates are fine for email servers, I've been using them for several years.

I initially had this same problem.

Spamassassin/qmail starts a new instance with each new SMTP connection, so when a new cert is saved it starts getting used on the next SMTP connection.

However, dovecot is a long running daemon and therefore does not work like that. The script which renews the letsencrypt cert must afterwards restart dovecot so that the daemon will load the new cert. That is why your email clients are complaining.

You can confirm this by using openssl s_client to connect to SMTP and then to pop/imap, and you will likely see that spamassassin/qmail is using your new certificate while dovecot is using the old.

-Andy



On 4/29/2020 1:59 AM, Peter Peterse wrote:
Hi,

Are the dovecot and qmail services restarted?

Regarts,
Peter

Solo <s...@privat.dk> schreef op 29 april 2020 11:42:10 CEST:


    Hi.

    I think Letsencrypt are for websites/servers and not for the specifik
    email which require another type of certificate than Letsencrypt issues
    - usually that is set up when qmail is installed (openssl) and placed
    /var/qmail/....

    /Finn vB

    Den 29-04-2020 kl. 10:52 skrev ChandranManikandan:

        Hi Remo,

        FYI
        ssl_cert = </etc/letsencrypt/live/panasiagroup.net/fullchain.pem
        <http://panasiagroup.net/fullchain.pem>
        ssl_key = </etc/letsencrypt/live/panasiagroup.net/privkey.pem
        <http://panasiagroup.net/privkey.pem>
        # the following will likely be the default at some point
        ssl_dh_parameters_length = 2048


        On Wed, Apr 29, 2020 at 11:48 AM Remo Mattei <r...@mattei.org
        <mailto:r...@mattei.org>> wrote:

        You need to check the /etc/dovecot/toaster.conf file that’s where
        the cert for outlook and thunder lives.

        Remo

            On Apr 28, 2020, at 20:38, ChandranManikandan <kand...@gmail.com
            <mailto:kand...@gmail.com>> wrote:

            Hi Friends,

            certbot renew command showing below message
            Saving debug log to /var/log/letsencrypt/letsencrypt.log

            - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
            - - -
            - - - - - - -
            Processing /etc/letsencrypt/renewal/xxx.com.conf
            - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
            - - -
            - - - - - - -
            Cert not yet due for renewal

            - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
            - - -
            - - - - - - -

            The following certs are not due for renewal yet:
               /etc/letsencrypt/live/xxx.com/fullchain.pem
            <http://xxx.com/fullchain.pem> expires on 2020-06-27 (skipped)
            No renewals were attempted.
            - - - - - - - - - - - - - - -

            But outlook, thunderbird showing the certificate issue and
            certificate expire date is showing 28-Apr-2020 in thunderbird,
            I have checked in website in the same certificate expiry date is
            showing 27-06-2020.

            Do i anything done mistake.
            How do i check and fix the above issue.
            Could anyone help me.
            Appreciate your help.

            Note: Centos 7 with qmailtoaster
-- */Regards,
            Manikandan.C
            /*




-- */Regards,
        Manikandan.C
        /*

    ------------------------------------------------------------------------
    To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
    For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


--
Verstuurd vanaf mijn Android apparaat met K-9 Mail. Excuseer mijn beknoptheid.

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to