##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-ssl = yes
+ssl = required
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/private/dovecot.pem
-ssl_key = </etc/dovecot/private/dovecot.key
+ssl_cert = <${mail_ssl_cert_dir}/fullchain.pem
+ssl_key = <${mail_ssl_cert_dir}/privkey.pem
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
|-> auth-static.conf.ext -- /etc/dovecot/conf.d/
`-> auth-system.conf.ext -- /etc/dovecot/conf.d/
+SSL
+---
+
+Add DNS records. If no MX record is present, mail servers fall back to the A
+record (see https://serverfault.com/a/470651).
+
+```
+example.com. 0 A <ipv4_address>
+example.com. 0 AAAA <ipv6_address>
+example.com. 0 MX 0 mail.example.com
+mail.example.com. 0 CNAME example.com.
+```
+
+Install `certbot`.
+
+```
+$ apt install certbot
+```
+
+Create a certificate with a generic name and add all domains under it.
+
+```
+$ certbot certonly --manual --preferred-challenges dns --cert-name mail \
+ -d mail.<domain1> -d mail.<domain2>
+```
+
Install
-------
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
+
+# TLS
+smtp_tls_cert_file = ${mail_ssl_cert_dir}/fullchain.pem
+smtp_tls_key_file = ${mail_ssl_cert_dir}/privkey.pem
+smtp_tls_security_level = encrypt
+smtpd_tls_auth_only = yes
+smtpd_tls_cert_file = ${mail_ssl_cert_dir}/fullchain.pem
+smtpd_tls_key_file = ${mail_ssl_cert_dir}/privkey.pem
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_security_level = encrypt
projects / server.git / commitdiff