Change Default Certificates for SMTP, IMAP, and POP3 over SSL


Browse by products and services

  • Applies to: DV
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH, root or sudo access, Plesk administrator access
  • Applies to: DV 4.0
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH, root or sudo access, Plesk administrator access

Overview

By using SSL for email, you ensure that communications between your personal computer and your server will be encrypted. Your message contents, username, and password will be hidden from eavesdroppers -- but only hidden from eavesdroppers between you and your server! SSL services do not protect your messages once they leave your SMTP Server and head to their destinations. Even though your message contents are not necessarily protected, it does completely protect your username and password from detection. This is very important because it prevents identity theft, forged messages, etc.

Email configuration in the Plesk Control Panel does not have this option by default. For the purposes of this article, we will use the default self-signed certificate that came with your DV server.

If you need to setup your own certificates, you should copy your certificate and private key into the appropriate files and restart qmail and/or courier-imap/Dovecot services.

IMPORTANT NOTE:

Instructions for both Dovecot and Courier mail servers are included. Plesk versions 12.0 and later are provisioned with Dovecot as the default. Previous versions use Courier, but have an option to install Dovecot. If you are unsure of which software you are using or want to use something different, log into your Plesk control panel and navigate to Tools & Settings >> Mail Server Settings.

There is a single certificate for each of these services: SMTP, IMAP4, and POP3 over SSL and several various certificates cannot be used for various Plesk domains.

Make sure to specify the domain name for the certificate in order to avoid "domain name mismatch" warnings. For example, if the certificate was issued for the "dv-example.com" domain, then you should specify "dv-example.com" in your mail client preferences for SMTP/POP3/IMAP servers.

Requirements

Before you start, this article has the following dependencies:

READ ME FIRST

The publishing of this information does not imply support of this article. This article is provided solely as a courtesy to our customers. Please take a moment to review the Statement of Support.

Instructions for DV 4.0

  1. Log into your Plesk Server Administrator Panel.
  2. From the left navigation menu, click on Tools & Utilities and select SSL Certificates.

  3. Click on the default certificate.

    Scroll down until you see the sections Private Key and Certificate. Copy the contents of each section into a new file on your server and name the file with the .pem extension, e.g. dv-example.com.pem. Save this file to the /usr/share/courier-imap directory.

    Your file should look similar to this.

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAtIEAVXOFSkHhS8SHI8KrC2Aru8uELbUW+NdRBTVx5E/KcMtv
    aTUUysbl4/bjFcUahr4LLc4CxY+3FIyqRB7PGYR1GIQ9piZVtbWLLz4XgCby7bhy
    4vev8BLGe2BIhCF3ffbBnA2oRrKR2VIse6DobOLSh8DorrE2dkXBD8T/UCFiMCu/
    IYtsPMdVt4XvbDs1srMZa0bO/pSQP2a49WvS58LLsuoB195660QglbFo4PaNtuvg
    BrcJ/aP1sWE2OsqayZMK1ki4u4sJ6i86r1Kib44S6OK15ikKy09hFFkzGx6FZl5h
    j+BEM9pvYB6adVRQxD99eD9FsMfdIoKWXfB3+wIDAQABAoIBAQCvbB+y7E5B2Lzo
    MdtUecBZkeFu5V9UPIZS2I85DLPfO1x3On7QNHI8kAikADC525DoGpIqtegjsIQx
    SHPBOF/1YLGcXgi8DM2HhyP5idK1DSVSusuMoUMvgk+7X9uZ7hx/Iu0OiIdeDfWI
    yz/H9p1sFRSeMnDwNfHECA6VENNAP05bV7Q3xHY3pilqrGzCl+6H50tGxZay5xST
    YksntyLEh578mS8nU1ABW+8WqgYeRy8Q6F0ALV0rrWR2k/qoHgKteCJfpkSoy655
    El4weDcNvfoByemZFi6eNR3Fs8HWPhWHg3fpnpbXWcv1RI9TX3dlSTY2CPTbOrAK
    OeBsCtuhAoGBAOiHI/THrunahOX2GKS+lqkw75TaLhZvpE0jsuYff3VulHnFe691
    A2DFR2SZKbu14SgsHKSiF4sgjE1033a0S4C+OBmzzxFef0zb25UZV4Wo4sIY5OA2
    7vZhq2wSa1MmjAyRoZYx3jHbgRzZncKdBo8iL0vIvffHiPCiXJjMovG/AoGBAMa5
    fEG2KKjrvFCYIgDvcdYX+75jh6H/9I6QxC4daQDFx68cbKaY7iPz8EnkFoEyCjOO
    q5zqjdpvqNXU935tflW5xHE5Vaveb2eyuwb8vOD598v3US6pImo/iO5bM2EQkCyB
    WzDkNkHBGaSGFUyZXZ0WDx5xqKZusJgCpAbFr5DFAoGBAJa8JD7lwymtkkFQiyEg
    u6HqKyUfWokIzkWDQtGS0Zlamb1mm4teG1Z8DI/WCgu5F8Bm+BpxSTnTW6BKhyH4
    Nom6xbtDqJPl4jf8vhelWes3U+fnI1eFxNrK7ckdF53LezYaodkvco57+p6tI2up
    Rzs6OdayxxL8snTri4MyBN8ZAoGAVfhoiQUFEg7pqPQnwb/Uv4ognnzwcGUKp6J5
    PHn8sxjdCiSB3JDMdUFS8qR6F+pN/3/5Pik6tQUZRWicqVU1EmELWvAy3+eayoHH
    533vOGTrjpGvzT/eY5iY5IUP9S31MUvE56HS1x9yuHpJPJocpZilccY578ZzH1AF
    JejfywECgYAHCF1MFbMdHAqJhmkIKuTjz5b/1XPeDp2wXSnDHpEu3iRTVTU3eM4l
    0ytnR5sg6vVGsIq1XyhzocR7Dt5VEw8k7s9uKrgasEXb2fYY57BL1xNFvj3r0ukg
    TBKJm5esP2RPFEXaj367p62HKoOwcK7Ikhc3J3pOxftiAQV0f66I3Q==
    -----END RSA PRIVATE KEY-----
    
    -----BEGIN CERTIFICATE-----
    MIID4TCCAskCBEmHGf0wDQYJKoZIhvcNAQEFBQAwgbQxCzAJBgNVBAYTAlVTMRMw
    EQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtDdWx2ZXIgQ2l0eTEaMBgGA1UE
    ChMRKG10KSBNZWRpYSBUZW1wbGUxEDAOBgNVBAsTB3N1cHBvcnQxHzAdBgNVBAMT
    FmN1cnJlbnQubXQtZXhhbXBsZS5jb20xKzApBgkqhkiG9w0BCQEWHGFkbWluQGN1
    cnJlbnQtbXQtZXhhbXBsZS5jb20wHhcNMDkwMjAyMTYwNjIzWhcNMTAwMjAyMTYw
    NjIzWjCBtDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNV
    BAcTC0N1bHZlciBDaXR5MRowGAYDVQQKExEobXQpIE1lZGlhIFRlbXBsZTEQMA4G
    A1UECxMHc3VwcG9ydDEfMB0GA1UEAxMWY3VycmVudC5tdC1leGFtcGxlLmNvbTEr
    MCkGCSqGSIb3DQEJARYcYWRtaW5AY3VycmVudC1tdC1leGFtcGxlLmNvbTCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSBAFVzhUpB4UvEhyPCqwtgK7vL
    hC21FvjXUQU1ceRPynDLb2k1FMrG5eP24xXFGoa+Cy3OAsWPtxSMqkQezxmEdRiE
    PaYmVbW1iy8+F4Am8u24cuL3r/ASxntgSIQhd332wZwNqEaykdlSLHug6Gzi0ofA
    6K6xNnZFwQ/E/1AhYjArvyGLbDzHVbeF72w7NbKzGWtGzv6UkD9muPVr0ufCy7Lq
    AdfeeutEIJWxaOD2jbbr4Aa3Cf2j9bFhNjrKmsmTCtZIuLuLCeovOq9Som+OEuji
    teYpCstPYRRZMxsehWZeYY/gRDPab2AemnVUUMQ/fXg/RbDH3SKCll3wd/sCAwEA
    ATANBgkqhkiG9w0BAQUFAAOCAQEAmibZdKbrVglS/yJu2jja9aD/beWCx3xENiyD
    szuZ8rE2LFvmY981ryo2Qz2h0P9LbRuEVoYXTmUUPDHZnHhGr7HbdUnB+rpKch0A
    wmX3TUfAkMGeSHAld6oUDjddqEyZnaDXW+1XUWYqd+ZKhak72EgGACOOrBWhnSmN
    6TF5fcHpznzZTuZvExmKkLnhWxf//OMfDi1zE9Gi7b0zksRDKirZUz7szM6PBMY8
    sBHK8yqI0PWLNr6zHC3Ojm4PGv5GvhToAAmQasoEMXnid/6wk7DM3JfrIdBWmhYR
    euLkQMuZaOQwWkif4vO/k3x4uvgRl5H0QWVwMF6mPsp6T1EHFg==
    -----END CERTIFICATE-----
  4. Connect via SSH to your DV as the root user.
  5. Before editing system configuration files on your server, backup files should be made first. Enter the following two commands, one at a time.
    cp /etc/courier-imap/pop3d-ssl /etc/courier-imap/pop3d-ssl.backup
    cp /etc/courier-imap/imapd-ssl /etc/courier-imap/imapd-ssl.backup
    
  6. Next, you will need to edit the same line on these two files separately. The line begins with TLS_Certfile=. You can easily jump straight to editing that line with the following command which you will use for both files.
    vi +/TLS_CERTFILE= /etc/courier-imap/pop3d-ssl
    vi +/TLS_CERTFILE= /etc/courier-imap/imapd-ssl
    

    The default certfile being used points to a file in /usr/share/courier-imap/. You want this to be your pem file instead. Change that line to point to your file which you saved earlier in that directory. Your two files should look like this snippet.

    # treated as confidential, and must not be world-readable.
    #
    TLS_CERTFILE=/usr/share/courier-imap/dv-example.com.pem
    
    ##NAME: TLS_TRUSTCERTS:0
    #
    # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
    # pathname can be a file or a directory. If a file, the file should
    

    NOTE:

    Be sure to replace dv-example.com with your domain.

  7. We also need to have qmail use this certificate. Make a backup of the default servercert.pem file and use your cert instead with the following two commands.
    mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.backup
    cp /usr/share/courier-imap/dv-example.com.pem /var/qmail/control/servercert.pem
    
  8. Restart the mail services on your server.
    /etc/init.d/courier-imapd restart && /etc/init.d/courier-imaps restart && /etc/init.d/qmail restart

    You should see the following successful output.

    Stopping Courier-IMAP server:
       Stopping imap                                           [  OK  ]
       Stopping imap-ssl                                       [  OK  ]
       Stopping pop3                                           [  OK  ]
       Stopping pop3-ssl                                       [  OK  ]
    
    Starting Courier-IMAP server:
       Starting imapd                                          [  OK  ]
       Starting imap-ssl                                       [  OK  ]
       Starting pop3                                           [  OK  ]
       Starting pop3-ssl                                       [  OK  ]
    
    Stopping : Starting qmail:                                 [  OK  ]
    

    Now, you and your site users should be able to use your SSL certificate to securely send email using various mail programs.

Courier Instructions

  1. Log into your Plesk Server Administrator Panel.
  2. From the left navigation menu under Server Management, select Tools & Settings.
    Under Security, select SSL Certificates.

    SSL_tools_utilities

  3. Click on the default certificate.

    ssl_default_cert

    Scroll down until you see the sections Private Key and Certificate. Copy the contents of each section into a new file on your server and name the file with the .pem extension, e.g. dv-example.com.pem. Save this file to the /usr/share/courier-imap directory.

    Your file should look similar to this.

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAtIEAVXOFSkHhS8SHI8KrC2Aru8uELbUW+NdRBTVx5E/KcMtv
    aTUUysbl4/bjFcUahr4LLc4CxY+3FIyqRB7PGYR1GIQ9piZVtbWLLz4XgCby7bhy
    4vev8BLGe2BIhCF3ffbBnA2oRrKR2VIse6DobOLSh8DorrE2dkXBD8T/UCFiMCu/
    IYtsPMdVt4XvbDs1srMZa0bO/pSQP2a49WvS58LLsuoB195660QglbFo4PaNtuvg
    BrcJ/aP1sWE2OsqayZMK1ki4u4sJ6i86r1Kib44S6OK15ikKy09hFFkzGx6FZl5h
    j+BEM9pvYB6adVRQxD99eD9FsMfdIoKWXfB3+wIDAQABAoIBAQCvbB+y7E5B2Lzo
    MdtUecBZkeFu5V9UPIZS2I85DLPfO1x3On7QNHI8kAikADC525DoGpIqtegjsIQx
    SHPBOF/1YLGcXgi8DM2HhyP5idK1DSVSusuMoUMvgk+7X9uZ7hx/Iu0OiIdeDfWI
    yz/H9p1sFRSeMnDwNfHECA6VENNAP05bV7Q3xHY3pilqrGzCl+6H50tGxZay5xST
    YksntyLEh578mS8nU1ABW+8WqgYeRy8Q6F0ALV0rrWR2k/qoHgKteCJfpkSoy655
    El4weDcNvfoByemZFi6eNR3Fs8HWPhWHg3fpnpbXWcv1RI9TX3dlSTY2CPTbOrAK
    OeBsCtuhAoGBAOiHI/THrunahOX2GKS+lqkw75TaLhZvpE0jsuYff3VulHnFe691
    A2DFR2SZKbu14SgsHKSiF4sgjE1033a0S4C+OBmzzxFef0zb25UZV4Wo4sIY5OA2
    7vZhq2wSa1MmjAyRoZYx3jHbgRzZncKdBo8iL0vIvffHiPCiXJjMovG/AoGBAMa5
    fEG2KKjrvFCYIgDvcdYX+75jh6H/9I6QxC4daQDFx68cbKaY7iPz8EnkFoEyCjOO
    q5zqjdpvqNXU935tflW5xHE5Vaveb2eyuwb8vOD598v3US6pImo/iO5bM2EQkCyB
    WzDkNkHBGaSGFUyZXZ0WDx5xqKZusJgCpAbFr5DFAoGBAJa8JD7lwymtkkFQiyEg
    u6HqKyUfWokIzkWDQtGS0Zlamb1mm4teG1Z8DI/WCgu5F8Bm+BpxSTnTW6BKhyH4
    Nom6xbtDqJPl4jf8vhelWes3U+fnI1eFxNrK7ckdF53LezYaodkvco57+p6tI2up
    Rzs6OdayxxL8snTri4MyBN8ZAoGAVfhoiQUFEg7pqPQnwb/Uv4ognnzwcGUKp6J5
    PHn8sxjdCiSB3JDMdUFS8qR6F+pN/3/5Pik6tQUZRWicqVU1EmELWvAy3+eayoHH
    533vOGTrjpGvzT/eY5iY5IUP9S31MUvE56HS1x9yuHpJPJocpZilccY578ZzH1AF
    JejfywECgYAHCF1MFbMdHAqJhmkIKuTjz5b/1XPeDp2wXSnDHpEu3iRTVTU3eM4l
    0ytnR5sg6vVGsIq1XyhzocR7Dt5VEw8k7s9uKrgasEXb2fYY57BL1xNFvj3r0ukg
    TBKJm5esP2RPFEXaj367p62HKoOwcK7Ikhc3J3pOxftiAQV0f66I3Q==
    -----END RSA PRIVATE KEY-----
    
    -----BEGIN CERTIFICATE-----
    MIID4TCCAskCBEmHGf0wDQYJKoZIhvcNAQEFBQAwgbQxCzAJBgNVBAYTAlVTMRMw
    EQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtDdWx2ZXIgQ2l0eTEaMBgGA1UE
    ChMRKG10KSBNZWRpYSBUZW1wbGUxEDAOBgNVBAsTB3N1cHBvcnQxHzAdBgNVBAMT
    FmN1cnJlbnQubXQtZXhhbXBsZS5jb20xKzApBgkqhkiG9w0BCQEWHGFkbWluQGN1
    cnJlbnQtbXQtZXhhbXBsZS5jb20wHhcNMDkwMjAyMTYwNjIzWhcNMTAwMjAyMTYw
    NjIzWjCBtDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNV
    BAcTC0N1bHZlciBDaXR5MRowGAYDVQQKExEobXQpIE1lZGlhIFRlbXBsZTEQMA4G
    A1UECxMHc3VwcG9ydDEfMB0GA1UEAxMWY3VycmVudC5tdC1leGFtcGxlLmNvbTEr
    MCkGCSqGSIb3DQEJARYcYWRtaW5AY3VycmVudC1tdC1leGFtcGxlLmNvbTCCASIw
    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSBAFVzhUpB4UvEhyPCqwtgK7vL
    hC21FvjXUQU1ceRPynDLb2k1FMrG5eP24xXFGoa+Cy3OAsWPtxSMqkQezxmEdRiE
    PaYmVbW1iy8+F4Am8u24cuL3r/ASxntgSIQhd332wZwNqEaykdlSLHug6Gzi0ofA
    6K6xNnZFwQ/E/1AhYjArvyGLbDzHVbeF72w7NbKzGWtGzv6UkD9muPVr0ufCy7Lq
    AdfeeutEIJWxaOD2jbbr4Aa3Cf2j9bFhNjrKmsmTCtZIuLuLCeovOq9Som+OEuji
    teYpCstPYRRZMxsehWZeYY/gRDPab2AemnVUUMQ/fXg/RbDH3SKCll3wd/sCAwEA
    ATANBgkqhkiG9w0BAQUFAAOCAQEAmibZdKbrVglS/yJu2jja9aD/beWCx3xENiyD
    szuZ8rE2LFvmY981ryo2Qz2h0P9LbRuEVoYXTmUUPDHZnHhGr7HbdUnB+rpKch0A
    wmX3TUfAkMGeSHAld6oUDjddqEyZnaDXW+1XUWYqd+ZKhak72EgGACOOrBWhnSmN
    6TF5fcHpznzZTuZvExmKkLnhWxf//OMfDi1zE9Gi7b0zksRDKirZUz7szM6PBMY8
    sBHK8yqI0PWLNr6zHC3Ojm4PGv5GvhToAAmQasoEMXnid/6wk7DM3JfrIdBWmhYR
    euLkQMuZaOQwWkif4vO/k3x4uvgRl5H0QWVwMF6mPsp6T1EHFg==
    -----END CERTIFICATE-----
  4. Connect via SSH to your DV as the root user.
  5. Before editing system configuration files on your server, backup files should be made first. Enter the following two commands, one at a time.
    cp /etc/courier-imap/pop3d-ssl /etc/courier-imap/pop3d-ssl.backup
    cp /etc/courier-imap/imapd-ssl /etc/courier-imap/imapd-ssl.backup
    
  6. Next, you will need to edit the same line on these two files separately. The line begins with TLS_Certfile=. You can easily jump straight to editing that line with the following command which you will use for both files.
    vi +/TLS_CERTFILE= /etc/courier-imap/pop3d-ssl
    vi +/TLS_CERTFILE= /etc/courier-imap/imapd-ssl
    

    The default certfile being used points to a file in /usr/share/courier-imap/. You want this to be your pem file instead. Change that line to point to your file which you saved earlier in that directory. Your two files should look like this snippet.

    # treated as confidential, and must not be world-readable.
    #
    TLS_CERTFILE=/usr/share/courier-imap/dv-example.com.pem
    
    ##NAME: TLS_TRUSTCERTS:0
    #
    # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
    # pathname can be a file or a directory. If a file, the file should
    

    NOTE:

    Be sure to replace dv-example.com with your domain.

  7. We also need to have postfix use this certificate. Make a backup of the postfix_default.pem file and use your cert instead with the following two commands.
    mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.backup
    cp /usr/share/courier-imap/dv-example.com.pem /etc/postfix/postfix_default.pem
    
Restart the mail services on your server.
/etc/init.d/courier-imap restart && /etc/init.d/postfix restart

You should see the following successful output.

Stopping Courier-IMAP server:
   Stopping imap                                           [  OK  ]
   Stopping imap-ssl                                       [  OK  ]
   Stopping pop3                                           [  OK  ]
   Stopping pop3-ssl                                       [  OK  ]

Starting Courier-IMAP server:
   Starting imapd                                          [  OK  ]
   Starting imap-ssl                                       [  OK  ]
   Starting pop3                                           [  OK  ]
   Starting pop3-ssl                                       [  OK  ]

Stopping : Starting postfix:                                 [  OK  ]

Dovecot Instructions

1. SSH to your server as the root user. In order to do this, you must first make sure that you have root login enabled from the account center.

2. Create a backup of the default dovecot .pem file
 
cp /etc/dovecot/private/ssl-cert-and-key.pem /etc/dovecot/private/ssl-cert-and-key.pem.backup
 
3. Create a backup of the default postfix .pem file
 
cp /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.backup 
 
4. Copy the replacement key and ssl certificate into and create the dovecot .pem.replacement file. 

nano /etc/dovecot/private/ssl-cert-and-key.pem.replacement

 Your ssl-cert-and-key.pem.replacement file should look similar to this:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtIEAVXOFSkHhS8SHI8KrC2Aru8uELbUW+NdRBTVx5E/KcMtv
aTUUysbl4/bjFcUahr4LLc4CxY+3FIyqRB7PGYR1GIQ9piZVtbWLLz4XgCby7bhy
4vev8BLGe2BIhCF3ffbBnA2oRrKR2VIse6DobOLSh8DorrE2dkXBD8T/UCFiMCu/
IYtsPMdVt4XvbDs1srMZa0bO/pSQP2a49WvS58LLsuoB195660QglbFo4PaNtuvg
BrcJ/aP1sWE2OsqayZMK1ki4u4sJ6i86r1Kib44S6OK15ikKy09hFFkzGx6FZl5h
j+BEM9pvYB6adVRQxD99eD9FsMfdIoKWXfB3+wIDAQABAoIBAQCvbB+y7E5B2Lzo
MdtUecBZkeFu5V9UPIZS2I85DLPfO1x3On7QNHI8kAikADC525DoGpIqtegjsIQx
SHPBOF/1YLGcXgi8DM2HhyP5idK1DSVSusuMoUMvgk+7X9uZ7hx/Iu0OiIdeDfWI
yz/H9p1sFRSeMnDwNfHECA6VENNAP05bV7Q3xHY3pilqrGzCl+6H50tGxZay5xST
YksntyLEh578mS8nU1ABW+8WqgYeRy8Q6F0ALV0rrWR2k/qoHgKteCJfpkSoy655
El4weDcNvfoByemZFi6eNR3Fs8HWPhWHg3fpnpbXWcv1RI9TX3dlSTY2CPTbOrAK
OeBsCtuhAoGBAOiHI/THrunahOX2GKS+lqkw75TaLhZvpE0jsuYff3VulHnFe691
A2DFR2SZKbu14SgsHKSiF4sgjE1033a0S4C+OBmzzxFef0zb25UZV4Wo4sIY5OA2
7vZhq2wSa1MmjAyRoZYx3jHbgRzZncKdBo8iL0vIvffHiPCiXJjMovG/AoGBAMa5
fEG2KKjrvFCYIgDvcdYX+75jh6H/9I6QxC4daQDFx68cbKaY7iPz8EnkFoEyCjOO
q5zqjdpvqNXU935tflW5xHE5Vaveb2eyuwb8vOD598v3US6pImo/iO5bM2EQkCyB
WzDkNkHBGaSGFUyZXZ0WDx5xqKZusJgCpAbFr5DFAoGBAJa8JD7lwymtkkFQiyEg
u6HqKyUfWokIzkWDQtGS0Zlamb1mm4teG1Z8DI/WCgu5F8Bm+BpxSTnTW6BKhyH4
Nom6xbtDqJPl4jf8vhelWes3U+fnI1eFxNrK7ckdF53LezYaodkvco57+p6tI2up
Rzs6OdayxxL8snTri4MyBN8ZAoGAVfhoiQUFEg7pqPQnwb/Uv4ognnzwcGUKp6J5
PHn8sxjdCiSB3JDMdUFS8qR6F+pN/3/5Pik6tQUZRWicqVU1EmELWvAy3+eayoHH
533vOGTrjpGvzT/eY5iY5IUP9S31MUvE56HS1x9yuHpJPJocpZilccY578ZzH1AF
JejfywECgYAHCF1MFbMdHAqJhmkIKuTjz5b/1XPeDp2wXSnDHpEu3iRTVTU3eM4l
0ytnR5sg6vVGsIq1XyhzocR7Dt5VEw8k7s9uKrgasEXb2fYY57BL1xNFvj3r0ukg
TBKJm5esP2RPFEXaj367p62HKoOwcK7Ikhc3J3pOxftiAQV0f66I3Q==
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIID4TCCAskCBEmHGf0wDQYJKoZIhvcNAQEFBQAwgbQxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtDdWx2ZXIgQ2l0eTEaMBgGA1UE
ChMRKG10KSBNZWRpYSBUZW1wbGUxEDAOBgNVBAsTB3N1cHBvcnQxHzAdBgNVBAMT
FmN1cnJlbnQubXQtZXhhbXBsZS5jb20xKzApBgkqhkiG9w0BCQEWHGFkbWluQGN1
cnJlbnQtbXQtZXhhbXBsZS5jb20wHhcNMDkwMjAyMTYwNjIzWhcNMTAwMjAyMTYw
NjIzWjCBtDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNV
BAcTC0N1bHZlciBDaXR5MRowGAYDVQQKExEobXQpIE1lZGlhIFRlbXBsZTEQMA4G
A1UECxMHc3VwcG9ydDEfMB0GA1UEAxMWY3VycmVudC5tdC1leGFtcGxlLmNvbTEr
MCkGCSqGSIb3DQEJARYcYWRtaW5AY3VycmVudC1tdC1leGFtcGxlLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSBAFVzhUpB4UvEhyPCqwtgK7vL
hC21FvjXUQU1ceRPynDLb2k1FMrG5eP24xXFGoa+Cy3OAsWPtxSMqkQezxmEdRiE
PaYmVbW1iy8+F4Am8u24cuL3r/ASxntgSIQhd332wZwNqEaykdlSLHug6Gzi0ofA
6K6xNnZFwQ/E/1AhYjArvyGLbDzHVbeF72w7NbKzGWtGzv6UkD9muPVr0ufCy7Lq
AdfeeutEIJWxaOD2jbbr4Aa3Cf2j9bFhNjrKmsmTCtZIuLuLCeovOq9Som+OEuji
teYpCstPYRRZMxsehWZeYY/gRDPab2AemnVUUMQ/fXg/RbDH3SKCll3wd/sCAwEA
ATANBgkqhkiG9w0BAQUFAAOCAQEAmibZdKbrVglS/yJu2jja9aD/beWCx3xENiyD
szuZ8rE2LFvmY981ryo2Qz2h0P9LbRuEVoYXTmUUPDHZnHhGr7HbdUnB+rpKch0A
wmX3TUfAkMGeSHAld6oUDjddqEyZnaDXW+1XUWYqd+ZKhak72EgGACOOrBWhnSmN
6TF5fcHpznzZTuZvExmKkLnhWxf//OMfDi1zE9Gi7b0zksRDKirZUz7szM6PBMY8
sBHK8yqI0PWLNr6zHC3Ojm4PGv5GvhToAAmQasoEMXnid/6wk7DM3JfrIdBWmhYR
euLkQMuZaOQwWkif4vO/k3x4uvgRl5H0QWVwMF6mPsp6T1EHFg==
-----END CERTIFICATE-----


 5. Replace default dovecot .pem file with dovecot .pem.replacement file.
 
cp /etc/dovecot/private/ssl-cert-and-key.pem.replacement /etc/dovecot/private/ssl-cert-and-key.pem
 
6. Replace default postfix .pem file with SAME dovecot .pem.replacement file.
 
cp /etc/dovecot/private/ssl-cert-and-key.pem.replacement /etc/postfix/postfix_default.pem 
 
7. Verify permissions (0400) and root ownership (root:root) of newly-replaced dovecot .pem file.
 
chmod 0400 /etc/dovecot/private/ssl-cert-and-key.pem
 
8. Verify permissions (0600) and root ownership (root:root) of newly-replaced postfix .pem file.
 
chmod 0600 /etc/postfix/postfix_default.pem
 
9. reload-or-restart dovecot and check service status.
 
systemctl restart dovecot.service 
systemctl status dovecot.service
 

You should see an output similar to this:

 dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since Wed 2015-12-02 21:41:38 EST; 17h ago
 Main PID: 19331 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─19331 /usr/sbin/dovecot -F
           ├─19334 dovecot/anvil
           ├─19335 dovecot/log
           ├─29140 dovecot/config
           └─29142 dovecot/ssl-params

Now, you and your site users should be able to use your SSL certificate to securely send email using various mail programs.

NOTE:

Depending on your email client, you may receive a certificate error.


Check the box to trust the certificate and eliminate the certificate error messages for your mail client.

Resources