Let's encrypt: Free, trusted certificates for postfix and dovecot

After explaining how to get certificates for generic services, which you can read in my recent blog posts, I'll explain how to setup dovecot and postfix working with Let's encrypt certificates.

I assume you already have an running mail server. If not you may want to follow a guide for setting up your mail server. I recommend this guide from workaround.org about how to setup one on debian wheezy. But you may want to use this guide for debian jessie instead. There is also a short guide by digital ocean which doesn't explain as much as you may should know about running a mail server but if you just need to remember all the places and settings it's okay. But however, I want to talk about certification.

I'll still use the good old apache I used in all previous posts.

Configure apache webserver

First of all you need your webserver for the challenge. Let's say you want to get a certificate for mx1.example.com and mail.example.com.

I use the following configuration:

<VirtualHost *:80>  
    ServerName mx1.example.com
    ServerAlias mail.example.com
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    # Additional stuff...

<IfModule mod_ssl.c>  
<VirtualHost *:443>  
    ServerName mx1.example.com
    ServerAlias mail.example.com
    DocumentRoot /var/www/
    SSLCertificateFile    /path/to/certificate/ouroldmailserver.crt
    SSLCertificateKeyFile /path/to/key/ouroldmailserver.key
    # Additional stuff (may a webmail interface)...

The configuration is nearly an exact copy of the version I used in the reverse proxy tutorial. The important statements in this case are ServerName and ServerAlias. Change the values in the configuration to your DNS names and correct the path to you SSL/TLS certificate.

If you need more domain names, just add more ServerAlias statements to the VirtualHost.

Getting the let's encrypt certificate

If you followed my previous guides the Let's encrypt client is placed in /opt/letsencrypt.

So you change to this directory and run the interactive client.

cd /opt/letsencrypt  

Select all DNS names you want to use on your mail server.

You can also do it by using the command line parameters:

cd /opt/letsencrypt  
./letsencrypt-auto run --apache -d mx1.example.com,mail.example.com --email yourmail@example.com --agree-tos

Replace yourmail@example.com with your e-mail address and mx1.example.com,mail.example.com with a comma separated list of your wanted DNS names.

So now your certificate should placed in a subdirectory of /etc/letsencrypt/live/ with the name of one of your selected DNS names.

Let's say it's mx1.example.com so the full certificate chain can be found in /etc/letsencrypt/live/mx1.example.com/fullchain.pem and the private key in /etc/letsencrypt/live/mx1.example.com/privkey.pem.

Install the certificate on postfix

After getting the certificates you need to install them to your postfix.

Edit your /etc/postfix/main.cf file by using an editor of your choice or (my recommendation) the postconf -e command.


If you have an old intermediate certificate or CA setting you should remove it now.

After setting those values you can reload your postfix configuration by running systemctl reload postfix.

Install the certificate on dovecot

Now you got postfix ready but you may want to catch up your mails using imap.

So you also need to modify the SSL/TLS configuration of dovecot. In my setup the SSL configuration is placed at /etc/dovecot/conf.d/10-ssl.conf. The location depends on your setup and your distribution so it's may somewhere else. Replace the certificates with the let's encrypt certificates.

ssl_cert = </etc/letsencrypt/live/mx1.example.com/fullchain.pem  
ssl_key = </etc/letsencrypt/live/mx1.example.com/privkey.pem  

If you have an old intermediate certificate or CA setting you should remove it now.

Now restart your dovecot using systemctl restart dovecot. It will now use your trusted let's encrypt certificate.

Reload your certificates after renew

To reload your certificate after a renew I've written a little bash script to improve the renewal process.


# Check for an altered certificate (means there was a renew)
if [[ -N '/etc/letsencrypt/live/mx1.example.com/fullchain.pem' ]]; then  
   # Reload postfix
   /bin/systemctl reload postfix
   # Restart dovecot
   /bin/systemctl restart dovecot

It only restarts or reload your services if the certificate has been modified since it was read last time. This raises the uptime of your services.

At least you need to trigger the script. You can do that by cron, another script you use to renew your certificates or systemd. I'll use systemd just because it's a smooth way to renew your let's encrypt certificates and because you can read how to set it up by reading my last blog entry about renewing all your let's encrypt certificates using systemd.

So you put the script at /opt/scripts/renewMailserverCertificates.sh. (Yeah, it's not the best name you'll may find a better one)

Now you simply add /etc/systemd/system/letsencrypt.service.d/mailserver.conf



And that's it. After running systemctl daemon-reload everything should work well.

You can use systemctl start letsencrypt.service to check that everything works fine.

I hope you enjoyed that tutorial and may leave a comment down below, share it on Facebook, Twitter or even Google+. I'm searching for topics for more guides so feel free to request one.

EDIT 16.05.2016: Had to add the <IfModule mod_ssl.c>-tag else the official Let's encrypt client doesn't detect the vhost.

Additional information about SSL/TLS with postfix and dovecot


Stay in touch

By follow me on Twitter, follow RSS or sign up for my newsletter.