I have web hosting with with a provider and use their DNS service. But I don’t use their IMAP server – I host my own at home. Email clients like Thunderbird are averse to self-signed certs. So I generate a LetsEncrypt signed cert for my Dovecot IMAP server.
On my home machine:
- install the certbot utility (FreeBSD port : py37-certbot)
- run certbot:
certbot certonly --manual --preferred-challenges=dns --agree-tos --email=<my email address> -d <imap host name>
- confirm that I’m OK with my IP being logged
On the provider’s control panel web site:
- Add a DNS TXT record with the name and value generated by certbot
- Wait a few minutes for the DNS record to be served
Back on my home machine:
- Press Enter at the certbot prompt
- Wait for certbot to clean up and show the names of the files containing the cert
- Edit the Dovecot config file to point the ssl_cert and ssl_key lines to the files generated by certbot. Note that the first less-than sign on each line is part of the config. E.g.
ssl_cert = < <generated fullchain.pem file name>
ssl_key = < <generated privkey.pem file name>
- Restart Dovecot
When I need to renew the cert in a couple of months time, I can just do:
certbot renew