Example server is running CentOS 7, with Postfix, Dovecot, Amavisd, and Clamd.  ISPConfig 3.1 is our main server management tool.

There is a cron job which checks the expiry date of the security certificates.  If the expiry date is within a few days, the cron job obtains a new certificate via Let’s Encrypt.  (We need to verify this mechanism with precision, unsure at the moment)

One problem we are having is that the email servers, postfix and dovecot, are not loading the refreshed Let’s Encrypt certificate.  We need to find a way to restart the postfix & dovecot services with a frequency such that the renewed security certificates are loaded.  We need to schedule, or otherwise trigger, systemctl reload postfix and systemctl reload dovecot.

Let’s Encrypt does have some hooks implemented.  Currently, we have a shell script at /etc/letsencrypt/renewal-hooks/deploy which fires after every renewal; but we would like to know how to do this on a per-domain basis.

A great resource on automating certificate renewals can be found here.


Checking Security Certificates via Command Line:
(source: StackOverflow)

openssl s_client -connect host:port -servername host [-starttls protocol] | openssl x509 -text

-servername host is the host name included in the TLS handshake (via the SNI).

Some examples for protocol in -starttls protocol might be smtp, pop3, imap, ftp, xmpp.


The GTUBE SpamAssassin Test:

The test is described at the SpamAssassin website. It confirms that the SpamAssassin spam filter is working; check /var/log/maillog on the server.  It is as simple as including the following line without whitespace in your email message body & sending the message to a mailbox on the server:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X


IMAP mailbox migrations: imapsync

We’ve had excellent results with the robust imapsync tool.


Create security certs for postfix / dovecot

Namecheap themselves have a guide for this.

cat /etc/ssl/certs/yourdomainname.crt /etc/ssl/certs/yourdomainname.ca-bundle >> /etc/ssl/certs/certificate.crt

And use your key file directly.