2 min

In the Configuration File page of the cookbook, we configure a cleartext IMAP service that is unsecure, as anyone spying on the network can intercept the user's password.

Activate IMAP TLS

You must replace the [imap_unsecure] block of your configuration file with a new [imap] block:

bind_addr = "[::]:993"
certs = "cert.pem"
key = "key.pem"

Generate self-signed certificates

If you want to quickly try the TLS endpoint, you can generate a self-signed certificate with openssl:

openssl ecparam -out key.pem -name secp256r1 -genkey
openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem

This configuration is not secure as it is vulnerable to man-in-the-middle attacks. It will also triggers a big red warning in many email clients, and sometimes it will even be impossible to configure an account.

Generate valid certificates through Let's Encrypt

Automated certificate renewal has been popularized by Let's Encrypt through the ACME protocol. Today, many certificate providers implement it, like ZeroSSL, Buypass Go SSL, or even Google Cloud. Many clients that implement the ACME protocol exist (certbot, lego, etc.), a very long list exist on LE website. Finally, certificates can be obtained in exchange of a validation, that can occur over HTTP (HTTP01 challenge) or DNS (DNS01 challenge). This example will be given for Let's Encrypt with Lego for a DNS01 challenge with Gandi as the DNS provider.

lego \
  --email you@example.tld \
  --dns gandiv5 \
  --domain example.tld \
  --domains imap.example.tld \
  --domains smtp.example.tld \

Note 1: theoretically only GANDIV5_PERSONAL_ACCESS_TOKEN should be required, but it did not work for me.

Note 2: we generate a certificate for the root domain and SMTP because it will simplify your testing while following the cookbook. But if you already have a working email stack, it's not required.

If the command ran successfully, you now have 2 files:

  • .lego/certificates/example.tld.crt
  • .lego/certificates/example.tld.key

You can directly use them in Aerogramme (the first one must be put on certs and the second one on key). You must configure some way to automatically renew your certificates, the lego documentation explains how you can do it.