SSL with Email Server

Hey Guys, maybe you could help me. I have PostFix and Dovecot on the same server as my Apache2 website. My DNS is obviously Cloudflare. I have an MX record pointing from mydomain.com to mail.mydomain.com, and I have an A record for mail.mydomain.com to my server’s IP address. My problem is I set up my email server to use SSL/TSL and pointed it to the same .pem and .key files provided by Cloudflare that my website uses. When I change mail.mydomain.com to DNS only, I lose the SSL/TSL and my mail server fails to connect to any clients like Thunderbird. Do I have to use a separate SSL key? This is my first time having my own mail server and I’m still pretty new to Cloudflare.

Unfortunately, mail server configuration is completely separate from Cloudflare. Especially when it comes to SSL/TLS. There’s zero overlap there…unless you’re on an Enterprise plan.

You’ll need to find another way to get SSL keys for mail services.

2 Likes

You can just use Letsencrypt to generate those cert. I used it for my site. Works great.

And yes, letsencrypt works with Postfix.

You can use this GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol and use Cloudflare DNS provider.

The command looks like this

./acme.sh --issue -d mail.mydomain.com --dns dns_cf --force --debug --log

Command for renew:

./acme.sh --renew -d mail.mydomain.com --dns dns_cf --force --debug --log

Then you will have file in ~/.acme.sh/mydomain.com looks like this:

ls ~/.acme.sh/way.hanami.run/
ca.cer                  fullchain.cer           way.hanami.run.cer      way.hanami.run.conf     way.hanami.run.csr      way.hanami.run.csr.conf way.hanami.run.key

fullchain.cer is the cert that can be configured in Postfix and .key is the private key.

You will need to handle renew every 3 months. You can set a cronjob to do that. Instruction for Cloudflare API Key is at: dnsapi · acmesh-official/acme.sh Wiki · GitHub

Those can be run in a cronjob

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.