From 54a37b2249d8af2bddb0e0a077870050f55af4fc Mon Sep 17 00:00:00 2001 From: revsuine Date: Wed, 20 Nov 2024 02:12:44 +0000 Subject: [PATCH] obtain tls certificate instructions --- ..._server_alpine_postfix_dovecot_tutorial.md | 52 ++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md b/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md index 7dcb35b..a4317eb 100644 --- a/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md +++ b/content/blog/mail_server_alpine_postfix_dovecot_tutorial.md @@ -108,7 +108,7 @@ in through a standard SMTP/IMAP/POP3 email client, read their emails, and send e modular, i.e. you can opt to have e.g. Pigeonhole but not Amavis. We will end up with a small-scale mail server running on Alpine Linux with one domain, and we will use Unix user -accounts as mail accounts. +accounts as mail accounts. We will only set up IMAP, not POP3. This tutorial was written for Alpine Linux 3.20.3, though will most likely work on other versions too. @@ -205,6 +205,56 @@ following TCP ports are open on your firewall: | 587 | Email message submission | | 993 | IMAPS (IMAP over TLS) | +## Obtain a TLS certificate + +To enable TLS encryption, you need a certificate. [Let's Encrypt](https://letsencrypt.org/) provides free TLS +certificates. To get a certificate from them, you can use certbot: + + # apk add certbot + +We will need a web server to use certbot. I'm going to use nginx for this guide, because nginx is what I use on my +server, but [the certbot website](https://certbot.eff.org/) has instructions for a variety of setups. If you don't +already have an nginx server, install nginx and set it up now. + +Install `certbot-nginx` with: + + # apk add certbot-nginx + +Add the following to your nginx config (for instance, inside `http {}` in `/etc/nginx/nginx.conf`, or in a dedicated +virtual host file `/etc/nginx/http.d/mail.domain.com.conf`): + +```nginx +server { + listen 80; + listen [::]:80; + server_name mail.domain.com; + + root /usr/share/nginx/html/; + + location ~ /.well-known/acme-challenge { + allow all; + } +} +``` + +Replace `mail.domain.com` with the FQDN of your mail server. + +The `root` can be set to any extant directory on your system that you're happy to publish to the web. You can just make +an empty directory at `/usr/share/nginx/html`, or make this the directory of your website, etc. + +Reload or restart nginx for the changes to take effect: + + # rc-service nginx reload + +Now run the following command to get your free TLS certificate: + + # certbot certonly -a nginx --staple-ocsp --email your@email.here -d mail.domain.com + +If you have several subdomains in your nginx config that you'd like covered by the same certificate, you can omit `-d +mail.domain.com` and get a certificate covering all the domains in your nginx config. On my server, I have one +certificate at `/etc/letsencrypt/revsuine.xyz/` covering my apex domain and all subdomains. If you go for a certificate +with only one domain name, e.g. for `mail.domain.com`, it will be at `/etc/letsencrypt/mail.domain.com/`. + # Postfix Postfix is a [mail transport agent](https://en.wikipedia.org/wiki/Message_transfer_agent) (aka SMTP server). [In its