nuke wrote:
If I start fresh to create a new self signed mail certificate for pop/imap and smtp, then can I use the certificate manager?

I need to work out what certificate manager can do now, but if you create new certificates in ClearOS then, no, you can't. When I last looked, all Certificate manager could really do is import certificates. If you create them in ClearOS, you'd need to export them to your desktop to re-import them. Pretty much a waste of effort.

From memory I used "genkey" to generate my self-signed certificates. You'll need to install the crypto-utils package for it. It was very straightforward and put the certificates with the rest of them in /etc/pki/CA.

For mail, I then had to edit /etc/postfix/main.cf and /etc/imapd.conf to point them to the new certificates. I also do not allow port 25 connections to relay mail (too many people trying to brute force it). Port 465 (SMTPS) is allowed by default if you open the incoming firewall. You need to do a command line edit to get Port 587 (STARTTLS) working. Both of those are better than port 25 (which you still need open if you are running a mail server).

Hi Nick. It's been a while.

Thanks so far!

I understand what you're getting at with the Let's Encrypt. The every 2 month update will be a problem since my daughter is away at college and she'll complain that the email doesn't work. It will also create a learned experience to just "accept permanently" the certificate that shows up every few months. That isn't very security conscious.

If I start fresh to create a new self signed mail certificate for pop/imap and smtp, then can I use the certificate manager?

Hi ,nuke,

Can I try to steer you away from using Letsencrypt certificates for mail? I tried it and it was horrible. Setting it up was easy enough and using certbot to manage the certificates was good as it has a post-update hook which allows you to restart cyrus-imap and postfix when required. The problem is the clients. The Letsencrypt certificates last for three months and certbot attempts to renew after two. This means very two months you have to go round all your clients and update the certificates (or accept the warning which pops up). This was with Thunderbird and K-9 (Android) e-mail clients. I reverted to stock.

From what I've read very little validation is done with e-mail certificates. More or less they are just used to secure the connection whether they are valid or not, self-signed or proper.

I'll have to check where the imported certificates go to but they should be pretty easy to find if you do an "updatedb && locate part_of_the_certificate_name", but note they are not necessarily stored in the format you import them as. From memory pem certificates are converted to crt. The most likely locations to find the imported certificates are under /etc/pki (perhaps /CA) or under /etc/clearos