netcup + froxlor + mail server (dovecot/postfix) + tls/ssl (Let’s Encrypt)

You can use only one specific domain and ssl certificate in dovecot and postfix. So you have to create this specific domain and activate Let’s Encrypt for that, so that you can use those certificates for SSL/TLS. All the users with different domains and email-domains have to use this one specific domain to connect to the mail server.

  1. So create a new domain that you will use for the mail server and activate Lets encrypt for this domain.
    e.g. ``
  2. So you will find the LE certificates in the folder `/etc/ssl/froxlor-custom`.               
  3. Edit the postfix file and set the following parameters:
    nano /etc/postfix/
    // set those parameters
    myhostname =
    smtpd_tls_cert_file = /etc/ssl/froxlor-custom/
    smtpd_tls_key_file = /etc/ssl/froxlor-custom/
    smtpd_tls_CAfile = /etc/ssl/froxlor-custom/mail.example.com_CA.pem
  4. Edit dovecot config file and set following parameters:
    nano /etc/dovecot/conf.d/10-ssl.conf
    // set following parameters
    ssl_cert = </etc/ssl/froxlor-custom/mail.example.com_fullchain.pem
    ssl_key = </etc/ssl/froxlor-custom/
  5. Restart dovecot und postfix
    service postfix stop
    service postfix start
    service dovecot stop
    service dovecot start 
    service postfix status 
    service dovecot status
  6. Test certificate
    openssl s_client -host -port 25 -starttls smtp 
    openssl s_client -host -port 143 -starttls imap 
    Verify return code: 0 (ok) 
  7. To use the latest certificates the servers has to be restarted every day
    echo -e '#!/bin/bash\nsystemctl restart dovecot.service > /dev/null \nsystemctl restart postfix.service > /dev/null' | sudo tee /etc/cron.daily/reload-dovecot-postfix-ssl
    sudo chmod 755 /etc/cron.daily/reload-dovecot-postfix-ssl

Generate SPF (Sender Policy Framework) Record

NOTE: Do this for each Domain, you are using to send mails (not only the main mailserver domain).



Setup DKIM

sudo systemctl status opendkim.service


create a new TXT for each Domain, that sends mails with:

v=DMARC1; p=none

Testing the Mailserver

More info

Dovecot Documentation
Get latest Dovecot version

Postfix support multiple domains


sudo journalctl -u postfix
sudo journalctl -u dovecot
sudo journalctl -u opendkim.service