Lets Encrypt and Postfix

Lets Encrypt is an quick & easy way to add SSL to you website.

You can also use Lets Encrypt certificates to help secure your postfix mail server.

SSL SMTP allows mail clients & mail servers to send encrypted data.

The first thing you have to do is get the SSL certificate.

There are many ways to do this, but I find the easiest is to simply setup a web server with the same host name as the mail server and create a SSL certificate for it. I use the EFF certbot utility to do this.

certbot-auto -d mail.example.com

Once the certificate is created, you have to configure postfix to use it.

Edit the /etc/postfix/main.cf file and add the following (adjusting ‘mail.example.com’ as appropriate)…

smtp_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

You will need to restart postfix when the certificate renews … I solved this by creating a deploy hook with certbot.

for domain in $RENEWED_DOMAINS; do
case $domain in
cd /etc/letsencrypt/live/$domain
chgrp letsencrypt *.pem
chmod 640 *.pem
/sbin/service postfix reload > /dev/null
Related posts ...
If you're seeing a lot of messages about untrusted TLS connections in your mail log
Although not directly supported, it's quite possible to use the LetsEncrypt certbot client on Amazon
We bit the bullet ... we got iPhones.   Our Verizon cell phone contract has
If you run a wordpress blog, you really should  be aware that there is a

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.