How do I configure LE to send/receive emails using SSL?

My host provider (MochaHost) insists that Let's Encrypt does not work with mail servers, to send/receive emails using SSL encryption. He's telling me to buy a paid certificate.

Is that true?

Is there a step by step guide about configuring Let's Encrypt to use on a mail server?

Thank you so much in advance.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:microsafe.com.br

I ran this command:

It produced this output:

My web server is (include version):IIS 8.0

The operating system my web server runs on is (include version):Windows Server 2012

My hosting provider, if applicable, is:mochahost.com

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):SolidCP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):don't know

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Any SSL/TLS certificate, including one issued by Let's Encrypt, can be used to secure email communications. How to do so depends upon the mail server software being used. As this process is not at all specific to Let's Encrypt certificates, I encourage you to search for the documentation for your mail server software, which might be found in the SolidCP documentation.

2 Likes

Thank you. I use SmarterMail for my mail server.

When I questioned MochaHost about it, they sent me this reply:

"Email service is using the SMTP to send emails , IMAP for reading them.

Both services need to have VALID SSL Certificate installed , unfortunately you don't have such !"

2 Likes

Well...

SMTP (465) - filtered

https://decoder.link/sslchecker/microsafe.com.br/465

SMTP (587) - nonresponsive

https://decoder.link/sslchecker/microsafe.com.br/587

IMAP (993) - no certificate

https://decoder.link/sslchecker/microsafe.com.br/993

POP3 (995) - no certificate

https://decoder.link/sslchecker/microsafe.com.br/995


Given these MX records:

microsafe.com.br. 21600 IN MX 10 mx.spamexperts.com.
microsafe.com.br. 21600 IN MX 20 fallbackmx.spamexperts.eu.
microsafe.com.br. 21600 IN MX 30 lastmx.spamexperts.net.

you might need to check with "spamexperts".

3 Likes

Griffin, i'm genuinely thankful for all the trouble you went through to diagnose my mail server configuration. It's highly appreciated.

I have sent this information to Mocha. Let's see what they say.

1 Like

MX records are for inbound emails.

Outbound emails might be limited by the SPF record. But aren't required to be listed anywhere.
So he may be able to use this system for outbound emailing.
[In order to be included in the inbound emails, then an MX record (and cost) would have to be added]

1 Like

What MochaHost says is that they tried to attribute Let's Encrypt to the SmarterMail server using the SolidCP tool for that, and it didn't work. They want me to buy a SSL certificate, saying that would work. I don't understand the difference.

I found a tutorial about integrating Let's Encrypt with SmarterMail, but it uses a different tool than the one Mocha authorizes to use. So I'm stuck on that. If I use the tool on the SmarterMail tutorial, they wave themselves of all the responsibilty for that, in the case of a crash or worse.

Here's the tutorial:

https://portal.smartertools.com//kb/a3466/securing-smartermail-with-lets-encrypt.aspx

2 Likes

There are two popular and well documented Windows ACME clients (that I can think of).
If that guide doesn't solve your problem, I would try using PoshACME.

2 Likes

They should be able to integrate a certificate from Let's Encrypt just as easily as they could one from any other CA. (Let's Encrypt encourages automation more than other CAs do with the 90-day-only certificates, but from a technical perspective it works the same way as any other certificate.)

3 Likes