Certificat for mail server


#1

Hi,

I am running 2 debian machines, one as a mail server and one as a web server.
Certs work fine for my web server, because its has port 80 and 443 forwarded to it. The problem is when I make certificates for my mail server.

I use SSL encryption for my mail server, but I cant make a certificate with certbot because it needs to check it by using a web server.

I was wondering how I could fix this. If you need any information let me know.

[INFO]

Domain: hedium.nl / mail.hedium.nl
Certbot Version: 0.10.2
Mail server is postfix with dovecot.


#2

Two options:

  • get the cert on the webserver and transfer it somehow securely to your mailserver (e.g. with scp)
  • use certbot on the mailserver with the DNS challenge. For automated renewal it would require a DNS provider with an API.
  • use certbot on the mailserver with your webserver configured as a reverse proxy for the hostname of your mailserver, assuming it has it’s own distinct FQDN. Otherwise you could have used a cert of the webserver in the first place.

#3

Also, you could run Certbot on the mail server using --standalone (if there’s nothing listening on port 80 there).


#4

Seeing the use of “forwarded”, I assume both servers are behind some kind of NAT device, sharing a single public IP address.?

By the way, if using the reverse proxy trick, using standalone would be very useful on the mailserver too!


#5

Hi, I was also thinking about transferring the ssl file from my web server. Going to try this out.

And yeah, I only have one IP address.


#6

Ok, I got the cert moved with a script. Works great.

Do I need to reload postfix and dovecot every time I update the cert?


#7

Yes. Just reloading is fine, no restart required.


#8

alright thanks for all the help!


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.