netcup + froxlor + mail server (dovecot/postfix) + tls/ssl (Let’s Encrypt) 1


You can use only one specific domain and ssl certificate in dovecot and postfix. So you have to create this specific domain and activate Let’s Encrypt for that, so that you can use those certificates for SSL/TLS. All the users with different domains and email-domains have to use this one specific domain to connect to the mail server.

  1. So create a new domain that you will use for the mail server and activate Lets encrypt for this domain.
    e.g. `mail.example.com`
  2. So you will find the LE certificates in the folder `/etc/ssl/froxlor-custom`.
    mail.example.com.crt           
    mail.example.com.key         
    mail.example.com_CA.pem    
    mail.example.com_chain.pem
    mail.example.com_fullchain.pem
  3. Edit the postfix main.cf file and set the following parameters:
    nano /etc/postfix/main.cf
    
    // set those parameters
    myhostname = mail.example.com
    mydomain= mail.example.com
    
    smtpd_tls_cert_file = /etc/ssl/froxlor-custom/mail.example.com.crt
    smtpd_tls_key_file = /etc/ssl/froxlor-custom/mail.example.com.key
    smtpd_tls_CAfile = /etc/ssl/froxlor-custom/mail.example.com_CA.pem
  4. Edit dovecot config file and set following parameters:
    nano /etc/dovecot/conf.d/10-ssl.conf
    
    // set following parameters
    ssl_cert = </etc/ssl/froxlor-custom/mail.example.com_fullchain.pem
    ssl_key = </etc/ssl/froxlor-custom/mail.example.com.key
  5. Restart dovecot und postfix
    service postfix stop
    service postfix start
    service dovecot stop
    service dovecot start 
     
    service postfix status 
    service dovecot status
  6. Test certificate
    openssl s_client -host mail.example.com -port 25 -starttls smtp 
    openssl s_client -host mail.example.com -port 143 -starttls imap 
    ... 
    Verify return code: 0 (ok) 
    ... 
    quit
  7. To use the latest certificates the servers has to be restarted every day
    echo -e '#!/bin/bash\nsystemctl restart dovecot.service > /dev/null \nsystemctl restart postfix.service > /dev/null' | sudo tee /etc/cron.daily/reload-dovecot-postfix-ssl
    
    sudo chmod 755 /etc/cron.daily/reload-dovecot-postfix-ssl

Generate SPF (Sender Policy Framework) Record

NOTE: Do this for each Domain, you are using to send mails (not only the main mailserver domain).

Generate: https://easydmarc.com/tools/spf-record-generator

Test https://easydmarc.com/tools/spf-lookup/

Setup DKIM

sudo systemctl status opendkim.service

DMARC TXT

create a new TXT for each Domain, that sends mails _dmarc.xyz.com with:

v=DMARC1; p=none

Testing the Mailserver

https://www.mail-tester.com/

More info

Dovecot Documentation
Get latest Dovecot version

Postfix support multiple domains

Troubleshooting

sudo journalctl -u postfix
sudo journalctl -u dovecot
sudo journalctl -u opendkim.service


Leave a Reply to Tom Cancel reply

Your email address will not be published. Required fields are marked *

One thought on “netcup + froxlor + mail server (dovecot/postfix) + tls/ssl (Let’s Encrypt)