Mini-Howto: Kopano IMAP & Let's Encrypt

kopano
dovecot
letsencrypt

#1

With the availability of the Cool Solutions - Let’s Encrypt I can continue on a project which I wanted to start with UCS 4.2 and Kopano.
As Apache and Postfix can be secured as described in the Wiki we also have to make sure that other Kopano services are using the certificate and will also notice once a new certifcate is installed.

There a 2 subdirectories in /etc/univention/letsencrypt which contain the scripts for setup and refresh of the certificates. I adapted the scripts for dovecot.

root@mail:/etc/univention/letsencrypt# cat setup.d/kopano-gateway
#!/bin/bash
. /usr/share/univention-lib/ucr.sh
DIR_LE="/etc/univention/letsencrypt"
if is_ucr_true letsencrypt/services/kopano-gateway ; then
        setfacl -m u:kopano:r "$DIR_LE/domain.key"
        ucr set \
                kopano/cfg/gateway/ssl_private_key_file="$DIR_LE/domain.key" \
                kopano/cfg/gateway/ssl_certificate_file="$DIR_LE/chained.pem"
fi
root@mail:/etc/univention/letsencrypt# cat post-refresh.d/kopano-gateway
#!/bin/bash
#
. /usr/share/univention-lib/ucr.sh

DIR_LE="/etc/univention/letsencrypt"

if is_ucr_true letsencrypt/services/kopano-gateway ; then
        invoke-rc.d kopano-gateway restart
fi

root@mail:/etc/univention/letsencrypt# ucr get letsencrypt/services/kopano-gateway
yes

Securing kopano-ical should work in the same way. (Hint: ucr search kopano/cfg/ical/ssl_ ).

EDIT: I omitted the steps how to create the files, set permissions, create the UCRV and run the script to make sure that people who want to use this will think about it first.


UCS Let's Encrypt with Kopano IMAP
Lets Encrypt expired
#2

Thank you, but due to your edit I’m unable to complete it.
I created the scripts, made them executable, added the UCRV and executed them manually. (I hope letsencrypt runs the script automatically the next time?)

However, after the kopano-gateway service restarted the Ports 993 and 995 won’t work any longer:

root@server:/etc/univention/letsencrypt# systemctl status kopano-gateway.service
â kopano-gateway.service - Kopano Core IMAP/POP3 Gateway
   Loaded: loaded (/lib/systemd/system/kopano-gateway.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-11-18 14:22:12 CET; 9min ago
     Docs: man:kopano-gateway(8)
           man:kopano-gateway.cfg(5)
 Main PID: 2717 (kopano-gateway)
    Tasks: 1 (limit: 4915)
   Memory: 4.0M
      CPU: 606ms
   CGroup: /system.slice/kopano-gateway.service
           ââ2717 /usr/sbin/kopano-gateway -F

Nov 18 14:22:12 server systemd[1]: Started Kopano Core IMAP/POP3 Gateway.
Nov 18 14:22:12 server kopano-gateway[2717]: Sun Nov 18 14:22:12 2018: [kopano-gateway|T2717] [error  ] ECChannel::HrSetCtx(): cannot open cert file
Nov 18 14:22:12 server kopano-gateway[2717]: Sun Nov 18 14:22:12 2018: [kopano-gateway|T2717] [error  ] Error loading SSL context, POP3S and IMAPS will be disabled
Nov 18 14:22:12 server kopano-gateway[2717]: Sun Nov 18 14:22:12 2018: [kopano-gateway|T2717] [=======] Starting kopano-gateway version 8.6.2 (pid 2717)

I suspect Kopano doesn’t have access to the certificate files. But I don’t know if that’s the issue and I don’t kow how to properly solve it without breaking something else.

Edit:
Damn, just now I figured out, what was wrong.
chained.pem doesn’t exist, it’s signed_chain.crt instead. Now it’s working, 993 SSL for IMAP, 587 TLS for SMTP. I hope that’s correct.


#3

thats correct, see Lets Encrypt expired


#4

Just noticed this question:

scripts in /etc/univention/letsencrypt/post-refresh.d will run after the certificate was renewed.