Lets Encrypt is an quick & easy way to add SSL to you website.
You can also use Lets Encrypt certificates to help secure your postfix mail server.
SSL SMTP allows mail clients & mail servers to send encrypted data.
The first thing you have to do is get the SSL certificate.
There are many ways to do this, but I find the easiest is to simply setup a web server with the same host name as the mail server and create a SSL certificate for it. I use the EFF certbot utility to do this.
certbot-auto -d mail.example.com
Once the certificate is created, you have to configure postfix to use it.
Edit the /etc/postfix/main.cf file and add the following (adjusting ‘mail.example.com’ as appropriate)…
smtp_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
You will need to restart postfix when the certificate renews … I solved this by creating a deploy hook with certbot.
for domain in $RENEWED_DOMAINS; do
case $domain in
chgrp letsencrypt *.pem
chmod 640 *.pem
/sbin/service postfix reload > /dev/null