Create SSL Certified only for Postfix


#1

Hi everyone!!!

I have a server mail whit postfix + dovecot, but i not have web server in this machine. My fields MX of DNS is fine and apointed to ip of my servermail.

I follow this manual
h_tps://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
But this method need the web server. If soo possible create the certified only for the postfix server?

Regards,
David


#2

Hi,

That’s definityly posssible…

Run certbot certonly should do the case (if port 80 are open…)

Thank you


#3

Ok i have apache run on this machinne but my machine is not accessible by this port from internet… i only can open the 8888 port, because the port 80 is apointed for other machine.

Regards,
David


#4

To elaborate, Certbot has a “standalone” mode which can spin up a temporary webserver to respond to the challenges. This really only works on systems like yours which don’t have a web server running, because only one thing can be listening on port 80 at a time. You would want to run something like certbot certonly --standalone -d domain1.com -d domain2.com

Note that this will only give you the certificate - it will not apply it. You’ll probably want to write a shell script that actually applies the renewed certificate (by reloading/restarting services using it) and add that to the command as a --renewal-hook flag.


#5

Out put of the command

[root@mail letsencrypt]# certbot certonly --standalone -d criterion.com.py
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for criterion.com.py
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

#6

Well, that presents a bit of a problem. Your machine needs to be accessible over port 80 for the HTTP-01 challenge. If you have another system listening on port 80 for your network, you would either need to reverse proxy requests for .well-known/acme-challenge to the postfix/docevot server, or consider using the DNS challenge type.

That indicates that you do, in fact, have a service (presumably a web server) already listening on port 80.


#7

Ok i have apache run on this machinne but my machine is not accessible by this port from internet… i only can open the 8888 port, because the port 80 is apointed for other machine.

Regards,
David


#8

Hi @dgrvedado

has this other machine a webserver? If yes, you may use the other machine to create the certificate.

If this isn’t possible: dns-01 - challenge, so you have to create a dns txt entry:

_acme-challenge.yourdomain.com

with a special value. But if your dns provider doesn’t support an api, you have to do that every 60 - 90 days.


#9

I try this:

`[root@mail ~]# certbot certonly --standalone -d mail.criterion.com.py --http-01-port 8888
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.criterion.com.py
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.criterion.com.py (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.criterion.com.py/.well-known/acme-challenge/YDVkL-klXq4G066NDfjv5LZDWd9Fi4ZLTHhqSr7De9w:
…
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: mail.criterion.com.py
   Type:   unauthorized
   Detail: Invalid response from
   http://mail.criterion.com.py/.well-known/acme-challenge/YDVkL-klXq4G066NDfjv5LZDWd9Fi4ZLTHhqSr7De9w:
   .........
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.`

In the --help all say:
–http-01-port HTTP01_PORT
Port used in the http-01 challenge. This only affects
the port Certbot listens on. A conforming ACME server
will still attempt to connect on port 80. (default:
80)


#10

This is correct. Let’s Encrypt will always, no matter what, send the request over port 80. All that flag does is change what port the standalone server is listening on. If you want to do that, you would need to set up whatever machine is listening on port 80 to forward requests for .well-known/acme-challenge on port 80 over to your other server on port 8888.


#11

Is it possible, that you configure your other machine (with the port 80), so that the requests to

/.well-known/acme-challenge/

are redirected to your current machine? If yes, that may work.


#12

What should I put in this file?
Regards,
David


#13

That’s a directory - you’ll need to place the challenge file in that directory. This is a random filename with random contents (well, effectively random) that will change every time. The “best practice” setup would be something like this:

Server A, the one open to the internet on port 80:

  • Configure this server such that any request for a resource in the directory .well-known/acme-challenge is reverse-proxied to server B on whatever port you want.

Server B, the postfix/dovecot one:

  • This can listen on whatever, it just needs to be an open port and match what server A is forwarding along the requests on.

#14

Additional: Your domain name (which is used in the certificate) must have the A record with the ip of your other server.

Your postfix + dovecot configuration needs the MX record, so the A record should be unused.


#15

I get the impression that both servers are behind the same public IP, or else the “port 80 on a different server” thing wouldn’t be a problem…


#16

Hi,

If this is the case, what’s the webserver software you use with the machine that listens to port 80?

You may be able to make a internal proxy when the main server (the one runs on port 80) received an request with that domain & validation path…

Thank you


#17

Lol, that’s what I’ve been suggesting the whole time. :rofl: Welcome on board!


#18

They are not:

Name: criterion.com.py
Address: 5.9.124.212

Name: mail.criterion.com.py
Address: 181.120.215.171

But there is the apache default page on http://mail.criterion.com.py/

So a proxy isn’t required.

PS: Then --standalone isn’t good. Instead something like

certbot certonly --apache -d mail.criterion.com.py

to use the apache.


#19

Yes is different server… this 5.9.124.212 is only web server; and 181.120.215.171 this is the Mailserver and MX record too. But 181.120.215.171 this is only the router of a lan, i have portforwarding in this routert… and the port 80 is a different server of my mailserver.
Then i need put, for example, a html file (index.html) whit redicrect to my apache on mailserver? Or i need to use the .htaccess file?

Regards,
David


#20

Just realized…

(My brain is not functioning correctly… Probably due to the Java Chip frap.)