Postfix & Courier & Letsencrypt

First of all, create your certificates (the regular way). I created one with multiple domains: webmail.rootspirit.com, mail.rootspirit.com, smtp.rootspirit.com.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:

TLS_CERTFILE=/etc/ssl/letsencrypt/webmail.all.pem

And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart

Leave a Reply...