How do I setup a Letsencrypt ssl on Xeams mail server?

Question

First, I was able to successfully setup a letsencrypt certificate on an Ubuntu 14.0.4 server for my domain, and I confirmed everything was okay, by verifying I could access my domain via https and checking that I really did have the correct files in:

/etc/letsencrypt/live/domain.tld/

I have a Xeams mail server running on the server and I've been finding it difficult following the steps in the guide. First I had to convert the cert files generated by LetsEncrypt from .pem to .crt using:

openssl x509 -outform der -in my-cert.pem -out my-cert.crt

Which worked fine and converted the files successfully, but the problem I have with the guide is that, It assumes I don't already have an ssl certificate which isn't the case. I don't think I should have to generate a CSR code again when I already have the certificate from Letsencrypt.

To be clear, these are the cert files I have for my domain.

1. cert.pem
2. chain.pem
3. privkey.pem
4. fullchain.pem

But in the guide, it requires me generating CSR codes and whatnot, I have skipped generating a CSR to the part where I have to add the certificates to the keystore, but Its not very straightforward what I'm supposed to do, cause the files in the guide aren't correlating with what I have gotten from Letsencrypt.

When I try to follow the rest of the guide, and test that my server accepts connections on Secure IMAP port: 995 , my server returns a self signed certificate and not the certificate from the CA.

I used openssl to test the secure IMAP port 995

openssl s_client -connect localhost:995

I also confirmed Letsencrypt support for ssl email protocols and Java, so there has to be something I am not getting right. I have not been able to figure out how to add my certificates to the keystore.

Answer 1

So I finally figured it out after days of searching thanks to the guide here, you don't even need to use the keytool at all since xeams supports PKCS12 certificates.

1. Create a PKCS12 that contains your fullchain.pem and privkey.pem :

   openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out synametrics.cert -name xeams

2. Copy your synametrics.cert to xeams' installation directory:

   cp synametrics.cert /etc/Xeams/config/

3. Create a server.properties file in the ./config folder if it doesn't exist already and append the parameters below into the file:

   javax.net.ssl.keyStore=config/synametrics.cert javax.net.ssl.keyStorePassword=password SSLCertificatePassword=password

   Where pasword is the password you entered when you created the keystore with openssl.

4. Choose the PKCS12 keystore type in Xeams admin panel > SMTP Configuration > Configure SSL:

   

5. Enable the secure SMTP server and specify its port in xeams. Verify you can connect to your mail server on the specified ports:

   openssl s_client -connect mail.example.com:465

---

FIX FOR WEAK DH KEY

6. You'll probably get an error from openssl about the DHKey used by xeams being too small, this is a xeams issue, not openssl or letsencrypt.

   The problem was caused by xeams using a very weak ephemeral Diffie-Hellman public key, less than 1024 bits, when ideally, it shouldn't be less than 2048 bits. I tried so many things but this is what fixed it for me:

   Update the jre that comes with xeams in /etc/xeams/jre with the ones in this article by synammetrics:

   a. Stop the xeams smtp service:

   service xeams stop

   b. Rename the jre folder in your xeams insallation directory:

   mv -T jre jre.old

   c. Grab the compressed jre for your machine's architecture from the link to the article above and extract it to the /etc/xeams/jre/ directory, your new jre folder should contain the contents of compressed jre.

   d. Start xeams!

   service xeams start

I hope this fixes it for someone out there. :)