by Miro Metsänheimo | Linux in , , , , , , , , , , , , , ,

Installing Lets Encrypt’s SSL certificate to mail server with Postfix and Dovecot

Hi!

I’ve been getting notifications from StartSSL for a month saying that my SSL certificate is expiring. I decided to try out the new Let’s Encrypt free SSL. In this post I will be installing the certificate on a mail server.

To start off, you will need Git on your server

apt-get install git

Next up, we need the Let’s Encrypt git package

git clone https://github.com/Letsencrypt/letsencrypt

I made a small batch file to run every time I want to update the certificates

#!/bin/bash

OPTIONS="certonly --renew-by-default --email miro@metsanheimo.fi --agree-tos --text"

./letsencrypt-auto $OPTIONS -d metsanheimo.fi
chgrp vmail /etc/letsencrypt/archive /etc/letsencrypt/live
chmod g+rx /etc/letsencrypt/archive /etc/letsencrypt/live

Running this requires you to have a web server and a domain – and your router pointing to the computer you’re requesting the certificate for.

After running the script, your certificates should be created in ‘/etc/letsencrypt/live/domain.fi/’ and it will expire in three months. At that time, just come back and run the script again.

To get these certificates working on the mail server, we need to point the server to the new certificates at the configuration files. Open Postfix configuration and edit/add these lines. Replace the domain name with yours. After the changes, restart Postfix.

sudoedit /etc/postfix/main.cf

smtpd_tls_cert_file=/etc/letsencrypt/live/metsanheimo.fi/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/metsanheimo.fi/privkey.pem

sudo service postfix restart

Next up is Dovecot, open up the Dovecot SSL configuration file, and edit/add these lines. Replace the domain name with yours. After the changes, restart Dovecot.

sudoedit /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/letsencrypt/live/metsanheimo.fi/fullchain.pem
ssl_key = </etc/letsencrypt/live/metsanheimo.fi/privkey.pem

sudo service dovecot restart

Now try that your e-mail server still sends and receives messages.

You now have free working SSL certificates on your mail server! Congratulations! Just remember to refresh them every three months. Or just make a cron job for it.

 

Miro Metsänheimo

A software developer from Finland born in -92. I'm passionate about computers and technology. Feel free to message me about anything!

 

Leave a Reply