Secure Kolab with Let’s Encrypt…

You have installed Kolab 16 on CentOS7 and you now want to secure it with SSL/TLS.┬áThis article describes how to do that with Let’s Encrypt.

If the file /etc/httpd/config.d/ssl.conf exist, then remove or rename it.

Install certbot:

# yum install certbot
# yum install certbot-apache

Create the config file: /etc/httpd/config.d/<domain.tld>.conf:

<VirtualHost *:80>
ServerName <domain.tld>
ServerAlias *.<domain.tld>
DocumentRoot "/usr/share/roundcubemail/public_html"
</VirtualHost>

Restart httpd:

# systemctl restart httpd

Create the certificates:

# certbot -d <domain.tld> --apache

Note: Certbot is having troubles using apachectl on CentOS7. Until this issue is fixed through an update, this can be worked around:

In the file /usr/lib/python2.7/site-packages/certbot_apache/_internal/override_centos.py

change the lines:

ctl="apachectl", 
version_cmd=['apachectl', '-v'],

into:

ctl="httpd",
version_cmd=['httpd', '-v'],

In the file /usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py

comment out the 3 lines:

# self.options["version_cmd"][0] = self.option("ctl")
# self.options["restart_cmd"][0] = self.option("ctl")
# self.options["conftest_cmd"][0] = self.option("ctl")

 

Create certificate bundle:

# cat /etc/letsencrypt/live/<domain.tld>/cert.pem /etc/letsencrypt/live/<domain.tld>/privkey.pem /etc/letsencrypt/live/<domain.tld>/fullchain.pem > /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem 
# chown cyrus:mail /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem

Add to /etc/imapd.conf:

tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem
tls_server_ca_file: /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem

As the postfix certificate needs a different owner, copy the bundle to a different file:

# cp /etc/pki/cyrus-imapd/cyrus-imapd.bundle.pem /etc/pki/tls/private/postfix.pem
# chown postfix:mail /etc/pki/tls/private/postfix.pem
# chmod 655 /etc/pki/tls/private/postfix.pem

In postfix/main.cf set:

smtpd_tls_key_file = /etc/pki/tls/private/postfix.pem
smtpd_tls_cert_file = /etc/pki/tls/private/postfix.pem

Restart imapd, postfix and httpd:

# systemctl restart cyrus-imapd postfix httpd

Check the certificate:

# openssl s_client -connect 127.0.0.1:993 -servername <domain.tld>
Posted in Documentation.