revsuine/revsuine.xyz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

obtain tls certificate instructions

Browse source
This commit is contained in:
revsuine 2024-11-20 02:12:44 +00:00
parent caaf7a4139
commit 54a37b2249
Signed by: revsuine
GPG key ID: 3F257B68F5BC9339
1 changed files with 51 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
content/blog/mail_server_alpine_postfix_dovecot_tutorial.md
View file

@ -108,7 +108,7 @@ in through a standard SMTP/IMAP/POP3 email client, read their emails, and send e
modular, i.e. you can opt to have e.g. Pigeonhole but not Amavis. modular, i.e. you can opt to have e.g. Pigeonhole but not Amavis.
We will end up with a small-scale mail server running on Alpine Linux with one domain, and we will use Unix user We will end up with a small-scale mail server running on Alpine Linux with one domain, and we will use Unix user
accounts as mail accounts. accounts as mail accounts. We will only set up IMAP, not POP3.
This tutorial was written for Alpine Linux 3.20.3, though will most likely work on other versions too. This tutorial was written for Alpine Linux 3.20.3, though will most likely work on other versions too.
@ -205,6 +205,56 @@ following TCP ports are open on your firewall:
| 587 | Email message submission | | 587 | Email message submission |
| 993 | IMAPS (IMAP over TLS) | | 993 | IMAPS (IMAP over TLS) |
## Obtain a TLS certificate
To enable TLS encryption, you need a certificate. [Let's Encrypt](https://letsencrypt.org/) provides free TLS
certificates. To get a certificate from them, you can use certbot:
# apk add certbot
We will need a web server to use certbot. I'm going to use nginx for this guide, because nginx is what I use on my
server, but [the certbot website](https://certbot.eff.org/) has instructions for a variety of setups. If you don't
already have an nginx server, install nginx and set it up now.
Install `certbot-nginx` with:
# apk add certbot-nginx
Add the following to your nginx config (for instance, inside `http {}` in `/etc/nginx/nginx.conf`, or in a dedicated
virtual host file `/etc/nginx/http.d/mail.domain.com.conf`):
```nginx
server {
listen 80;
listen [::]:80;
server_name mail.domain.com;
root /usr/share/nginx/html/;
location ~ /.well-known/acme-challenge {
allow all;
}
}
```
Replace `mail.domain.com` with the <abbr title="Fully-Qualified Domain Name">FQDN</abbr> of your mail server.
The `root` can be set to any extant directory on your system that you're happy to publish to the web. You can just make
an empty directory at `/usr/share/nginx/html`, or make this the directory of your website, etc.
Reload or restart nginx for the changes to take effect:
# rc-service nginx reload
Now run the following command to get your free TLS certificate:
# certbot certonly -a nginx --staple-ocsp --email your@email.here -d mail.domain.com
If you have several subdomains in your nginx config that you'd like covered by the same certificate, you can omit `-d
mail.domain.com` and get a certificate covering all the domains in your nginx config. On my server, I have one
certificate at `/etc/letsencrypt/revsuine.xyz/` covering my apex domain and all subdomains. If you go for a certificate
with only one domain name, e.g. for `mail.domain.com`, it will be at `/etc/letsencrypt/mail.domain.com/`.
# Postfix # Postfix
Postfix is a [mail transport agent](https://en.wikipedia.org/wiki/Message_transfer_agent) (aka SMTP server). [In its Postfix is a [mail transport agent](https://en.wikipedia.org/wiki/Message_transfer_agent) (aka SMTP server). [In its