Monday, December 19, 2011

Regenerating self-signed Dovecot and Exim SSL certificates in Debian

I run my own mail server, including STMP (exim4) and IMAP (dovecot). Connections to both of these are encrypted with SSL; however, I’m too lazy and cheap to buy a real certificate. Instead, I self-sign and pay attention to the fingerprint when approving the connection on the client end.

The problem is that these certificates expire. And, they don’t do it very often, so I forget how to generate new ones, and for some reason my google-fu is severely lacking in this area. So, here’s notes on how to regenerate Exim and Dovecot self-signed certificates on Debian, for future me and perhaps you too.

(The above notwithstanding, lately has emerged as a good resource for these and many other programs. That’s where much of the below came from.)

Anyway, first off, it’s not always obvious which certificate has expired. You can find out with:
$ openssl x509 -in /etc/exim4/exim.crt -text -noout | less
$ openssl x509 -in /etc/ssl/certs/dovecot.pem -text -noout | less
To regenerate for exim:
$ cd /usr/share/doc/exim4-base/examples ./exim-gencert --force
$ /etc/init.d/exim4 restart
$ openssl x509 -in /etc/exim4/exim.crt -fingerprint -sha1 -noout
That last line will print the SHA1 fingerprint of the new certificate, which you can (and should) verify when connecting with your e-mail client, to make sure there’s no man-in-the-middle happening. (With a “real” certificate, the CA chain and your domain name verifies this, IIRC.)

On to dovecot:
$ rm /etc/ssl/certs/dovecot.pem
$ rm /etc/ssl/private/dovecot.pem
$ dpkg-reconfigure dovecot-common
$ openssl x509 -in /etc/ssl/certs/dovecot.pem -fingerprint -sha1 -noout


  1. Thank you. To quote ..."If you can't explain it simply..." Again Thanks.

  2. Incredibly helpful, thank you. Andy

  3. I just create the certs for exim and point both exim and dovecot at the same files - its worked well for me for the last 7 years.


  4. Thanks for that. I'm running Debian 7.4, the certificates were in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem , and you now have to run dpkg-reconfigure dovecot-core instead.