Dovecot and Exim with Letsencrypt
WebCP web hosting control panel uses Letsencrypt for SSL certificates. These SSL certificates can be used with Dovecot and Exim so that TLS works with the domain’s own certificate.
This will eliminate the warnings your client receive about invalid certificates.
How to setup your mail client to use the domain’s SSL certificate
The settings are:
- For the hostname use your domain name, eg, example.com. Do NOT use
mail.example.cometc, just the naked domain name itself
- For SSL options make sure you use STARTTLS
- For the username ensure you use your complete email address.
In Thunderbird it loads it a little differently than above. The hostname usually has a dot in front meaning that it would be smtp.example.com and imap.example.com. Remove that dot to have just the domain name.
Once you’re done the settings screen should look like this:
Why can’t I use mail.mydomain.tld?
As mentioned you do need to use your domain name without a subdomain like mail, smtp, etc.
That’s not technically true if you have a dedicated IP address per domain name. But if you’re server has a single IP address and you have multiple domains with SSL then the server uses SNI which is a name based SSL system as opposed to the older IP based systems of yesteryear.
Because Exim uses the SNI name to determine which SSL certificate to use and because this maps to an actual file on the server you need to use the naked domain so that the correct file is found. The SSL certificate is typically found out /etc/letsencrypt/live/example.com/cert.pem. If you try connecting to mail.example.com it will look for /etc/letsencrypt/live/mail.example.com which does not exist (you could create it specifically but that would be an extra certificate to maintain and would add to the complication, not reduce complication).
Why do I need to use STARTTLS?
As mentioned in the previous section, in the old days SSL certificates were tied to IP addresses and each domain wanting an SSL certificate had to have a dedicated IP address. Today we use SNI which ties the SSL certificate to the domain name itself.
In the mail server software if you tried to use SSL without STARTTLS it would not work (unless you did have a dedicated IP address) because on the initial connection it would not know which domain name is being queried.
By using STARTTLS the client connects without encryption and then requests encryption. This handshake allows the client to specify the hostname so that the server knows which certificate to use.
On WebCP connect Dovecot and Exim to your Domain’s SSL with STARTTLS
In a nutshell then, on WebCP you can use your domain’s SSL certificate with Dovecot and Exim by using STARTTLS and using the naked domain as the mail hostname.