Mail server_SSL certificate configuration - SomethingWithHorizons/mailserver GitHub Wiki

Generate a self-signed SSL certificate and configure the mail server to use it.

An early test SSL certificate is required to be able to test the security configuration settings of the mail server, regarding both the incoming/outgoing e-mail and IMAP connections.

:warning: WARNING: Using self-signed certificates in operational context is discouraged. These self-signed certificates will therefore be replaced by certificates signed by a trusted-third party at a later stage using this guide.

Procedure

1. Edit /etc/dovecot/conf.d/10-ssl.conf to enable SSL support:

   1. Change "SSL" to be "required" to enforce the use of SSL:

      # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
      - ssl = no
      + ssl = required
      

   2. Designate the ssl certificate that includes the public key which is communicated to clients, and the private key to allow for the actual decryption of client messages:

      # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
      # dropping root privileges, so keep the key file unreadable by anyone but
      # root. Included doc/mkcert.sh can be used to easily generate self-signed
      # certificate, just make sure to update the domains in dovecot-openssl.cnf
      #ssl_cert = </etc/dovecot/dovecot.pem
      #ssl_key = </etc/dovecot/private/dovecot.pem
      + ssl_cert = </etc/certs/example.org/fullchain.pem
      + ssl_key = </etc/certs/example.org/privkey.pem
      

      :warning: Replace example.org with your domain.

2. Enable SSL for Postfix (the equivalent as for dovecot described above):

   postconf -e "smtp_tls_security_level=may"
   postconf -e "smtpd_tls_security_level=may"
   postconf -e "smtpd_tls_auth_only=yes"
   postconf -e "smtpd_tls_cert_file=/etc/certs/example.org/fullchain.pem"
   postconf -e "smtpd_tls_key_file=/etc/certs/example.org/privkey.pem"
   

   :warning: Replace example.org with your domain.

   -e Edit Postifix' main.cf, this ensures that the configuration change is not accidentally interpreted by the shell.

3. Reload the configuration files into Postfix and Dovecot to effectuate the changes:

   service postfix reload
   service dovecot reload
   

4. Create a weekly cron job reloading both postfix and dovecot to automate inclusion of renewed certificates by issuing crontab -e:

   @weekly /usr/sbin/service postfix reload
   @weekly /usr/sbin/service dovecot reload