Hello, can i use let's encrypt for postfix?

My domain is: logic-immo.site
My web server is (include version): apache
The operating system my web server runs on is (include version): opensuse leap 15.4
I can login to a root shell on my machine (yes or no, or I don't know): yes
The web server works fine with certbot (congratulation).
But can i use the certificates for mail.logic-immo.site? it's for postfix.
i want to use the port 465.

Yes, that's possible. You need to manually configure Postfix though, as Certbot cannot do that itself.

I don't know how you got your certificate for your Apache, but on my Certbot/Apache server I can "force" Certbot and Apache to get a certificate for a hostname Apache doesn't know about by just using the -d option and in your case specify mail.logic-immo.site, even if that hostname isn't configured in Apache. But maybe you already have that hostname configured in Apache anyway e.g. for webmail?

I can see you have had certificates for mail.logic-immo.site in the past, but the last one expired recently: https://crt.sh/?deduplicate=Y&q=mail.logic-immo.site So you ought to know how to get another one I guess :slight_smile:


thank you i understand.

1 Like

Also see Does Let’s Encrypt issue certificates for anything other than SSL/TLS for websites? in the FAQ - Let's Encrypt


I set that up a while and did a short writeup.

This is a little out of date, but should be sufficient. Lets Encrypt and Postfix | Geeky Ramblings


it work but i have problems not with the certs, but with dovecot now.

1 Like

What is the problem you are experiencing with dovecot?


the service is disabled i don't understand why, i search during several hours.i have the same message ;
loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
Moreover i have another problem with postfix ;
postfix/smtp/smtp[3360]: warning: tls library problem: error:1408f10b:ssl routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
it's because i tried to sent an echo mail to the webmestre account, is my console wrong?
I spend more than 8 hours to search what's wrong.

This could possibly relate to software trying to speak TLS to a server or service that is not configured to speak TLS.

However, I'm not positive of that.

TLS configuration for Postfix is on-topic for this forum but traditionally most forum members have no experience at all with this, so it can be hard to get knowledgeable help with that here.


On the hostname mail.logic-immo.site, currently Postfix is configured with a Sectigo certificate for lwspanel.com and *.lwspanel.com for SMTP and Dovecot the same for IMAP. So an incorrect certificate. (Using STARTTLS on port 25 respectively 143 as well as directly on port 465 respectively 993.)


Yes today i rechange the DNS, but yesterday it was the correct IP. Thanks
I have a meeting point today, i will work on my server again tonight, i'm a nerd :wink:
Why i want the port 465? it's because my ISP block the port 25.

1 Like

Then how can I connect to your Postfix on port 25? (Assuming it's your Postfix I'm connecting to, it's sporting the same incorrect certificate as port 465. Or the IP address is still incorrect..)

It's common for ISPs to only block outgoing connections to port 25, as that could be due to spam bots trying to send email. Often incoming connections to port 25 are open just fine.


No the IP is incorrect, i changed it this evening.
I will work tonight, promise. :wink:

Already there, i have a new message from postfix ;
openssl s_client -connect mail.logic-immo.site:465 -starttls smtp -tls1_1

139637341865792:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 217 bytes and written 166 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.1
    Cipher    : 0000
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1687013754
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

my main.cf contain ;

smtp_tls_cert_file = /etc/letsencrypt/live/mail.logic-immo.site/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mail.logic-immo.site/privkey.pem
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.logic-immo.site/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.logic-immo.site/privkey.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

and also

smtp_tls_wrappermode = yes
smtpd_tls_ask_ccert = no
smtpd_tls_exclude_ciphers = RC4
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = !TLSv1:!TLSv1.1:!TLSv1.2
smtpd_tls_protocols = !TLSv1:!TLSv1.1:!TLSv1.2
smtpd_tls_mandatory_ciphers = medium
tls_preempt_cipherlist = no

You shouldn't use -starttls smtp when connecting to port 465: that's the port for secure SMTP with mandatory TLS, so no plain connection to begin with to issue a STARTTLS.

By the way, you have configured the smtp_* and smtpd_* directives equally. That's NOT how you're supposed to configure Postfix, as those two groups of directives are for ENTIRELY different functions of Postfix. Please read Postfix TLS Support.


i have commented all the smtp directives and it seems there's no more service i don't understand
fatal: parameter inet_interfaces: no local interface found for

I don't know if commenting all the smtp_* directives is the right action, but I guess the defaults might be good enough for you :man_shrugging:

With regard to the error about inet_interfaces: that's not related to TLS certificates, but generic Postfix configuration. Please refer to the Postfix documentation and if you require help, please refer to some place where you can get generic Postfix configuration support. This is not the right Community for that I'm afraid.


Commenting out the bulk of the smtp_* directives is likely a good start. They are used to configure postfix as an SMTP client. That is the role taken when making connections to other servers. Keep that in mind when reviewing those settings. The options are very well documented which has proven very helpful in my own postfix configuration.

I agree with @Osiris assessment of your inet_interfaces error. You may be able to obtain assistance in #postfix on the Libera Chat IRC network.


Well i have reinstall postfix with the corrects values and it work. of course i have used letsencrypt certs and it work fine. now i have to reinstall dovecot because it says ;
master: Error: service(submission-login): listen(*, 587) failed: Address already in use

Reinstallation seems like overkill in both of those situations, but I'm glad to hear that it seems to have helped with postfix. Good luck with your dovecot.