netcup + froxlor + mail server (dovecot/postfix) + tls/ssl (Let’s Encrypt)

You can use only one specific domain and ssl certificate in dovecot and postfix. So you have to create this specific domain and activate Let’s Encrypt for that, so that you can use those certificates for SSL/TLS. All the users with different domains and email-domains have to use this one specific domain to connect to the mail server.

So create a new domain that you will use for the mail server and activate Lets encrypt for this domain.
e.g. `mail.example.com`

So you will find the LE certificates in the folder `/etc/ssl/froxlor-custom`.

mail.example.com.crt           
mail.example.com.key         
mail.example.com_CA.pem    
mail.example.com_chain.pem
mail.example.com_fullchain.pem

Edit the postfix main.cf file and set the following parameters:

nano /etc/postfix/main.cf

// set those parameters
myhostname = mail.example.com
mydomain= mail.example.com

smtpd_tls_cert_file = /etc/ssl/froxlor-custom/mail.example.com.crt
smtpd_tls_key_file = /etc/ssl/froxlor-custom/mail.example.com.key
smtpd_tls_CAfile = /etc/ssl/froxlor-custom/mail.example.com_CA.pem

Edit dovecot config file and set following parameters:

nano /etc/dovecot/conf.d/10-ssl.conf

// set following parameters
ssl_cert = </etc/ssl/froxlor-custom/mail.example.com_fullchain.pem
ssl_key = </etc/ssl/froxlor-custom/mail.example.com.key

Restart dovecot und postfix

service postfix stop
service postfix start
service dovecot stop
service dovecot start 
 
service postfix status 
service dovecot status

Test certificate

openssl s_client -host mail.example.com -port 25 -starttls smtp 
openssl s_client -host mail.example.com -port 143 -starttls imap 
... 
Verify return code: 0 (ok) 
... 
quit

To use the latest certificates the servers has to be restarted every day

echo -e '#!/bin/bash\nsystemctl restart dovecot.service > /dev/null \nsystemctl restart postfix.service > /dev/null' | sudo tee /etc/cron.daily/reload-dovecot-postfix-ssl

sudo chmod 755 /etc/cron.daily/reload-dovecot-postfix-ssl