I run my own mail server, including STMP (exim4) and IMAP (dovecot). Connections to both of these are encrypted with SSL; however, I’m too lazy and cheap to buy a real certificate. Instead, I self-sign and pay attention to the fingerprint when approving the connection on the client end.
The problem is that these certificates expire. And, they don’t do it very often, so I forget how to generate new ones, and for some reason my google-fu is severely lacking in this area. So, here’s notes on how to regenerate Exim and Dovecot self-signed certificates on Debian, for future me and perhaps you too.
(The above notwithstanding, lately http://wiki.debian.org/SSLkeys has emerged as a good resource for these and many other programs. That’s where much of the below came from.)
Anyway, first off, it’s not always obvious which certificate has expired. You can find out with:
$ openssl x509 -in /etc/exim4/exim.crt -text -noout | lessTo regenerate for exim:
$ openssl x509 -in /etc/ssl/certs/dovecot.pem -text -noout | less
$ cd /usr/share/doc/exim4-base/examples ./exim-gencert --forceThat last line will print the SHA1 fingerprint of the new certificate, which you can (and should) verify when connecting with your e-mail client, to make sure there’s no man-in-the-middle happening. (With a “real” certificate, the CA chain and your domain name verifies this, IIRC.)
$ /etc/init.d/exim4 restart
$ openssl x509 -in /etc/exim4/exim.crt -fingerprint -sha1 -noout
On to dovecot:
$ rm /etc/ssl/certs/dovecot.pem
$ rm /etc/ssl/private/dovecot.pem
$ dpkg-reconfigure dovecot-common
$ openssl x509 -in /etc/ssl/certs/dovecot.pem -fingerprint -sha1 -noout