Separate SSL certificate for mail server? (Dovecot and postfix)
Following the guide below:
https://www.linode.com/docs/guides/email-with-postfix-dovecot-and-mariadb-on-centos-7/
Using the certbot nginx option I have already specified SSL certs for my example.com.
On the guide there is no mention of getting SSL certs for mail.example.com.
But now in any test my mail server seems without SSL. Do you I need separate certs for postfix/dovecot?
Thanks.
3 Replies
You can use the same certs for your mail server…you don't need to get separate ones. This is what I do. Works like a champ.
I have exactly the same setup -- example.com and mail.example.com. You just need to make sure that mail.example.com is listed in DNS correctly (which I assume you've already done).
apache2:
<VirtualHost _default_:443>
# Admin email, Server Name (domain name), and any aliases
#
ServerAdmin postmaster@example.com
ServerName example.com
ServerSignature Off
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf # <-- generated by certbot
SSLCertificateFile /usr/local/etc/letsencrypt/live/niteflyte.net/cert.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/niteflyte.net/privkey.pem
SSLCACertificateFile /usr/local/etc/letsencrypt/live/niteflyte.net/chain.pem
...
</VirtualHost>
postfix:
...
# sw - my host name
#
myhostname = mail.example.com
# sw - my domain
#
mydomain = example.com
# sw - my origin
#
myorigin = $mydomain
# Use the Let's Encrypt SSL certificate
#
smtp_tls_security_level = encrypt
smtp_tls_cert_file=/usr/local/etc/letsencrypt/live/example.com/cert.pem
smtp_tls_key_file=/usr/local/etc/letsencrypt/live/example.com/privkey.pem
smtp_tls_CAfile=/usr/local/etc/letsencrypt/live/example.com/chain.pem
#
smtpd_tls_cert_file=/usr/local/etc/letsencrypt/live/example.com/cert.pem
smtpd_tls_key_file=/usr/local/etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_CAfile=/usr/local/etc/letsencrypt/live/example.com/chain.pem
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
# Enabling SMTP for authenticated users, and handing off authentication
# to Dovecot
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = no
...
dovecot (conf.d/10-ssl.conf):
...
ssl_cert = </usr/local/etc/letsencrypt/live/example.com/cert.pem
ssl_key = </usr/local/etc/letsencrypt/live/example.com/privkey.pem
ssl_ca = </usr/local/etc/letsencrypt/live/example.com/chain.pem
...
I use FreeBSD, so my certs show up in /usr/local/etc/letsencrypt. Just substitute your own path.
-- sw
Thank stewie,
Can you share your MX and A records also?
When you enter your credentials on a mail client like Thunderbird do you use mail.example.com or example.com for server name?
Can you share your MX and A records also?
There's not much to show…
I have two A/AAAA records for example.com…one for IPv4 and one for IPv6. I use the default TTL (86400).
I have an two A/AAAA records for mail…one for IPv4 and one for IPv6. I use the default TTL (86400).
I have an two A/AAAA records for www…one for IPv4 and one for IPv6. I use the default TTL (86400). This is for the web server…so both http://example.com and http://www.example.com both work (without redirects).
For my MX record, I have mail.example.com for the mail server, 10 for the preference and the default TTL (86400). I'm not quite sure what the preference is…10 was the default.
I created all of this in the DNS manager at https://cloud.linode.com.
When you enter your credentials on a mail client like Thunderbird do you use mail.example.com or example.com for server name?
mail.example.com
-- sw