A bit puzzled about Lets Encrypt and its function?

General eFa discussion
Post Reply
e-d-i-t
Posts: 92
Joined: 27 Apr 2016 19:28
Contact:

A bit puzzled about Lets Encrypt and its function?

Post by e-d-i-t » 27 May 2020 19:26

Okay. So I am setting up EFA4 to replace my EFA3 machine.
Now I can use Lets Encrypt, but...

Is this certificate only for the httpd deamon or will it also be used for postfix TLS encryption?

At the moment I have a valid SSL certificate installed on EFA3, but I'm not quite sure if that one is being used for TLS or just only for the web pages...

e-d-i-t
Posts: 92
Joined: 27 Apr 2016 19:28
Contact:

Re: A bit puzzled about Lets Encrypt and its function?

Post by e-d-i-t » 31 May 2020 09:57

Never mind. Found out after reading multiple posts.

LetsEncrypt is basically used for the webGUI.
The Postfix MTA is using its own generated certificate.
But it seems like you can also use LetsEncrypt for that matter.

https://upcloud.com/community/tutorials ... s-encrypt/

Pukkeltje
Posts: 10
Joined: 08 Sep 2016 08:32

Re: A bit puzzled about Lets Encrypt and its function?

Post by Pukkeltje » 13 Apr 2021 14:54

I did it this way:

Create a script /etc/cron.weekly/postfix-cert-update.cron:
!/bin/bash

# Update the postfix certificates from Apache2
echo Updating Postfix SSL certificate from Apache website
echo Checking if Apache certificate is newer than Postfix certificate....
if [[ "$(cp -uv /etc/letsencrypt/live/<server fqdn>/*.pem /etc/postfix/ssl)" =~ \-\> ]]; then
echo Newer certificate files copied
# Reload postfix config
exec postfix reload;
echo Postfix reloaded
else
echo No newer certificate files found
fi

Added/changed this lines in /etc/postfix/main.cf:
smtpd_tls_key_file = /etc/postfix/ssl/privkey.pem
smtpd_tls_cert_file = /etc/postfix/ssl/fullchain.pem
smtpd_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3

Replace <server fqdn> with your own fqdn! Every week the cron script checks if a newer certificate is available and copies it from Apache. If needed the postfix config is reloaded.

This only works if your website fqdn is the same as your mail fqdn!!! For me this works like a charm!

Post Reply