Apply Certificates – Nginx

by Jan Bachelor

Apply Certs For Nginx

  • While for nginx, we do not need to apply the cert, since we terminate SSL at HAProxy, it may still be a good practice in case we implement SSL termination at the mail server in the future, instead.
  • Edit the following ssl template file:
sudo nano /etc/nginx/templates/ssl.tmpl

# Find the following:
ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

# Replace them with:
ssl_certificate /etc/letsencrypt/live/mail.your-domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.your-domain.tld/privkey.pem;
  • Run a syntax check and reload nginx:
sudo nginx -t
sudo systemctl reload nginx

Apply Certificates – Dovecot (IMAP)

  • Since we plan to connect to the mail server directly to sync emails with an email client via IMAPS, we will need to set the certificates on Dovecot to secure the communication over SSL port 993 (instead of unencrypted 143). POP3 is rarely used anymore (although port 995 would do the job for that).
sudo nano /etc/dovecot/dovecot.conf

# Find these two lines
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

# Replace them with:
ssl_cert = </etc/letsencrypt/live/mail.your-domain.tld/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.your-domain.tld/privkey.pem

# Exit nano and reload the config
sudo systemctl reload dovecot

Apply Certificates – Postfix (SMTP)

  • While we plan to use an SMTP relay, in order to support SMTPS to connect to our mailbox from an external device, we need to set up the certificates.
sudo nano /etc/postfix/main.cf

# Find these three lines:
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

# Replace them with:
smtpd_tls_key_file = /etc/letsencrypt/live/mail.your-domain.tld/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.your-domain.tld/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.your-domain.tld/chain.pem

# Exit nano and reload the config
sudo systemctl reload postfix

At this point we have the certificates installed and their renewal is automated from the previous step. Yet it does not mean that our Postfix (email exchange service) is properly secured. In addition, we still do not have SMTP relay set up to send emails out securely. Let’s firstly take a pause with a bit of a theory crash course on Postfix and then proceed to taking security precautions before we set up the relay.

Go back to course overview: Install iRedMail Mail Server As Proxmox VM With OPNSense As Firewall

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Step Contents

Content