Postfix and Dovecot on Ubuntu with a Lets Encrypt SSL Certificate
First off, this guide is not even going into how to configure Postfix with Dovecot as a fully fledged mail server. There are plenty of guides out there to help you with that. Today however this guide is simply about running Postfix and Dovecot on Ubuntu with a Lets Encrypt SSL Certificate. And I mean a fully fledged 4096 Strength RSA Encrypted SSL Certificate issued by Let’s Encrypt that also auto renews every 90 days.
Just what the world needed
The Let’s Encrypt project is simply what the world needed, they have major backing and are promoting a more secure internet through SSL encryption, even Google wants everyone running SSL these days even considering it a part of your SEO ranking factor these days. Personally I think the benefits of running all your web sites and mail servers on SSL are far outweighed by the reasons for not doing so and up until now the only reason was the exorbitant cost of obtaining SSL certificates even for just one domain name. Step in Let’s Encrypt and hello world !!!
So enough about Let’s Encrypt or SSL, if you don’t what it is then you shouldn’t be here, especially not trying to set up a mailserver with Let’s Encrypt certificates. So here is the quick setup to generate your certificates for your mail server and to have postfix and dovecot using them perfectly. This guide assumes your mail server is running on it’s own IP address on a different server from your web server, it’s the way I have things running and why I wrote this guide in the first place because it has taken over 11 hours on the web fiddling through bits of code and forums to figure this out. The folks at the Let’s Encrypt community are a great bunch too.
Installing Let’s Encrypt on Ubuntu with Postfix and Dovecot
SO ARE YOU READY !!…. Let’s First install letsencrypt.
sudo apt-get updatesudo apt-get install gitsudo git clone https://github.com/certbot/certbot /opt/certbotSo that’s certbot / letsencrypt installed, now to setup everything so we can generate our keys for our mail server.
Please read this tutorial on the name change from letsencrypt to certbot and on how to update letsencrypt to certbot on Ubuntu.
To achieve this I simply changed some configuration on the Apache server which runs on my mail server only to server me with web stats. In case you don’t have Apache or Nginx on your mail server, simply install Apache and then carry on with this guide. I am not familiar with Nginx but there are guides out there which can find and just modify the steps below with an Nginx setup.
So in my case I have Apache on the server but no web sites running. So it was simple, I just modified the 000-default file located at
/etc/apache2/sites-available/000-default.conf
Let me explain also what this does. It tells letsencrypt / certbot to get a verification token from your apache server which is served magically from the /.well-known/acme-challenge/ location. Their script does this all automatically you just need to have this location setup and configured as below. It’s a way of authenticating your server to the signing server and is an essential part of Postfix and Dovecot on Ubuntu with a Lets Encrypt SSL Certificate.
sudo nano /etc/apache2/sites-available/000-default.confThen just add the following into the conf file BEFORE the closing </VirtualHost> tag.
#Add Alias For Lets Encrypt WebRoot Authentication Using ACME
AliasMatch ^/.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
<Directory "/var/www/html/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Directory>
Save that file and restart Apache
sudo service apache2 restartThen change directory to the letsencrypt folder
cd /opt/certbotand then run this command which will generate your certificate.
FIRST …. before you create your first real certificate, please add –test-cert onto the end of the command below just to make sure that your certificate passed the WebRoot authentication served by your Apache server and then once is says all is OK then you can remove the –test-cert flag. Some people use the –staging flag, seems to be one and the same thing according to the documentation I found.
So let’s go through this.
PLEASE SUBSTITUTE: dnsadmin@mydomain.com with your real permanent email address
PLEASE SUBSTITUTE: mail.mydomain.com with the real domain name of your mailserver eg. mx1.whatever.com
This next step is the TEST certificate for my mailserver. In this example I am using mail.mydomain.com
sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m dnsadmin@mydomain.com --webroot -w /var/www/html/ -d mail.mydomain.com --renew-by-default --test-certThis, if successful will give you the following response. It does NOT create any keys even though it says it did.
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem. Your cert will expire on 2016-09-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
So that was easy, no we generate the real certificate … all we do now is remove the –test-cert option
sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m dnsadmin@mydomain.com --webroot -w /var/www/html/ -d mail.mydomain.com --renew-by-defaultand you will get the following output
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem. Your cert will expire on 2016-09-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-lee
That’s it your keys are created, they are live and now it’s time to make Postfix and Dovecot rock with them.
Now Configure Postfix and Dovecot on Ubuntu with a Lets Encrypt SSL Certificate
Simply open your main.cf of Postfix and change / add the following lines. In my case this was simply a change as I was already using self-signed SSL certificates so it was a matter of changing 2 lines. If you have never setup SSL ever on Postfix, simply find a tutorial about those basics then you can just switch it to use the Let’s Encrypt certificates.
sudo nano /etc/postfix/main.cfadd or change these lines with the following, again substituting with the real certificate names you just created above for your real mail server domain name FQDN.
UPDATED: 2017-01-09 (Config lines changed for postfix main.cf so strengthen ciphers and block known SSL attack types)
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
#Disable Poodle
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
# Changes to SSL Ciphers
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
Then edit your dovecot configuration file too
sudo nano /etc/dovecot/conf.d/10-ssl.conf
and change the following lines
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
and then restart those services
sudo service postfix restartand
sudo service dovecot restartGo to EmailSecurityGrader and test your mail server
and then head off to MailServerEncryptionTest and test the security of your mail server there too (do not worry about the DANE message).
Then also go to this online testing tool and use it to send an email to an email address on your mail server. If you got all the above right you will see your Postfix is now speaking in tongues with a real valid SSL server certificate.
You should see results like this image.
And then finally check you can collect mail on Imap or POP through Dovecot.
So that’s it, now just set your server to auto renew the keys every 90 days using Cron or Cron and a bash script.
Here’s how simple it is now.
Make Certbot / Let’s Encrypt Auto Renew your SSL Certificates
sudo crontab -eand add the following cron job which runs every Monday at 2:30AM. It does not renew the certificate until it expires it just checks more frequently.
30 2 * * 1 sudo /opt/certbot/certbot-auto renew >> /var/log/certbot-renew.log && sudo service postfix restart && sudo service dovecot restartSave and exit Cron
Make sure the certbot-renew.log file exists by running
sudo touch /var/log/certbot-renew.logand then finally make that file writeable by root by running
sudo chmod -R 666 /var/log/certbot-renew.logSo that’s it … test your cron job actually works and like any good server operator keep a check on your SSL certificates as well and make sure this auto-renew is actually running as you told it to.
You now have Postfix and Dovecot on Ubuntu with a Lets Encrypt SSL Certificate !!!
Keep Certbot and Let’s Encrypt GIT Package Updated
Please also make sure to keep your Cerbot package update by frequently checking for updates to the GIT package by running the following command line. This can also be set to be a CRON job.
cd /opt/certbot
sudo git pullTo auto update Certbot from a CRON job just do the following in Cron every Monday at 2:30AM
30 2 * * 1 sudo cd /opt/certbot && sudo git pullHope I have some Happy SSL faces out there. I will add revisions to this file as I come across them. Feel free to share your comments, notes for others and your own experiences below.
I also suggest you read up on the Let’s Encrypt Rate Limits as this free SSL system is certainly not for abusers.
Happy Nixing in the Nixing Bowl Everyone !!!
Pingback: Update letsencrypt to certbot on Ubuntu | Ubuntu 101
Pingback: Update letsencrypt to certbot on Ubuntu
Pingback: Update letsencrypt to certbot on Ubuntu
Hi,
I also had to edit /etc/dovecote/dovecot.conf to point to the relevant .pem files
Cheers
Pingback: Certificats Let’s Encrypt | Aniol's blog
Easy to follow tutorial. I now have a fully functional TLS encrypted and authenticated mail server. Thank you very much for your effort.
So glad this helped you Rojan. I have updated the article with some information about improving the Cyphers on Postfix in the main.cf config file.
Thank you for the comprehensive guide.
You have a mistype in command “sudo service docevot restart” – should be dovecot)
Thanks Andrew, glad it helped you, I have corrected the typo 🙂
Thanks for a very nice guide which worked great for both Postfix and Dovecot. You might want to update the installation part to use system packages instead of pulling from git, as this helps keeping it updated. From (at least) Ubuntu 16.04 the installation is straight forward using apt. See https://certbot.eff.org/ for details.
Hi Arne, glad it helped you and I will certainly update the article some time soon. I personally prefer to make sure people have the latest certbot which not all distro’s have through apt and it leads to endless problems. Some distro’s download version 0.4 of letsencrypt (deprecated) and it causes all sorts of nonsense. Cloning the whole repo as per my original instructions is also not needed as it just requires one file from the repo. But I will update it soon, had my father pass away on Friday morning so have my hands rather full right now.
Please note that in your instructions you clone certbot in /opt/cerbot (missing t), hence the automatic update scripts won’t work because they point to /opt/certbot (with t)
Thank you very much for putting together this awesome guide!
Thanks so much for pointing out the typos, so glad this guide helped you.
Article updated with typo’s fixed 🙂
Thank you for your tutorial / efort.
At this moment I am using CAcert.org for my email but recently I have problems with iphone that is not accepting for mail CAcert so I am exploring the possibility to switch to this solution to test if iphone will work.
I am using in apache few website ( pihole, media… ) only for my home use and I do not allow access to them from www.
Will this setup work if apache web site is not accessible from www ?
thank you
Hi Luc, to get any Let’s Encrypt SSL cert issued it has to be authenticated with a real IP address and DNS records that point to that IP address otherwise any of Let’s Encrypt’s authentication checks will fail to give you a certificate.
5