Lets Encrypt and Postfix

Lets Encrypt is an quick & easy way to add SSL to you website.

You can also use Lets Encrypt certificates to help secure your postfix mail server.

SSL SMTP allows mail clients & mail servers to send encrypted data.

The first thing you have to do is get the SSL certificate.

There are many ways to do this, but I find the easiest is to simply setup a web server with the same host name as the mail server and create a SSL certificate for it. I use the EFF certbot utility to do this.

certbot-auto -d mail.example.com

Once the certificate is created, you have to configure postfix to use it.

Edit the /etc/postfix/main.cf file and add the following (adjusting ‘mail.example.com’ as appropriate)…

smtp_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

You will need to restart postfix when the certificate renews … I solved this by creating a deploy hook with certbot.

!/bin/sh
for domain in $RENEWED_DOMAINS; do
case $domain in
mail.example.com)
cd /etc/letsencrypt/live/$domain
chgrp letsencrypt *.pem
chmod 640 *.pem
/sbin/service postfix reload > /dev/null
;;
esac
done

Leave a Reply

Your email address will not be published. Required fields are marked *