View Categories

Letsencrypt Certificates for Postfix

3 min read

Table of Contents

Postfix also uses SSL/TLS certificates for secure connections. On many installations, including Mailborder, the certificates are self-signed. If you wish to use valid SSL/TLS certificates, you can use Letsencrypt’s certbot on Ubuntu to get and maintain your certificates. This article is Nginx specific, but the same concept would apply for other web servers such as Apache. 

Note: If your Postfix MTA hostname is already the same as one of the Mailborder virtual hosts, you can skip the next sections and just go to the Postfix section below. 

Nginx #

Edit this file: /etc/nginx/sites-available/mailborder-mta.conf

Add this configuration replacing the server_name with your MTA hostname. This should match myhostname in /etc/postfix/main.cf

server {
    listen 80;
    listen [::]:80;
    access_log off;
    server_name mta-1.example.com;

    root /var/www/html;
    index index.html index.php;
    location / {
        try_files $uri $uri/ =404;
    }
}

Save the file and enable the site:

ln -s /etc/nginx/sites-available/mailborder-mta.conf /etc/nginx/sites-enabled/mailborder-mta.conf 

Restart Nginx

service nginx restart

To test, open a web browser and go to the site using HTTP. In this example, it would be http://mta-1.example.com. You should see the default index.html in the /var/www/html directory. On Mailborder servers this should be the text you see:

The interface must be accessed via the named URL created during setup. If you are seeing this 
message while using a hostname, use HTTPS instead of HTTP.

 

Certbot #

Next we are going to run the certbot command to get a certificate. Note that DNS should already be setup and port 80 and port 443 should be open to your server. Port 80 will always need to stay open to get certificate renewals. 

certbot --nginx

You will be presented with a menu. Pick the hostname you just created. It will ask if you would like to put in a redirect.  You may do so if you like. Once complete, edit or view this file: /etc/nginx/sites-available/mailborder-mta.conf

There will be a section similar to this:

ssl_certificate /etc/letsencrypt/live/mta-1.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mta-1.example.com/privkey.pem; # managed by Certbot

These are the certificate and key we are going to use in the Postfix configuration. 

 

Postfix #

For Mailborder, edit this file: /etc/mailborder/conf.d/postfix.cf

For servers not using Mailborder, you would edit this file: /etc/postfix/main.cf

Warning: Mailborder users should not use /etc/postfix/main.cf. This file gets overwritten by Mailborder during configuration rebuilds. 

Find this section in the Postfix configuration file and update the certificates:

smtpd_tls_cert_file = /etc/letsencrypt/live/mta-1.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mta-1.example.com/privkey.pem

For Mailborder servers, run this command:

mb-rebuild -r

For servers not using Mailborder, run this command:

service postfix restart

Your Postfix service should now be using the Letsencrypt certificates. You can test your server(s) by entering your domain here:

https://www.checktls.com/TestReceiver