My Configuration. Mailserver with ISPConfig 3.2.11p2 will be updated soon Postfix (configured via ISPConfig) does forward mails to internal GroupWise Mailsystem Postfix has internal private IP, connection to the Internet ist a LANCOM Router forwarding mails to Postfix via NAT Postfix has a self signed signed certificate to encrypt mails. Now customers require an certificate by Let Encyprt or any other public certification institution. How can I install get the Lets encrypt certificate to Postfix Thanks for any help or hint. Rainer
Either setup NAT for Port 80,443 aswell or use certbot/acme with DNS challenge instead of normal http challenge.
Thank you for quick answer. But it is not so easy. Port 80 and 443 are natet to another server (Proxy) not undercontrol of ISPConfig, the server Postfix and single Server ISPConfig postfix and openVPN on it. If I make a webseite mail.domain.de on the proxy and and a website mail.domain.de on the Postfix server, the lets encrypt certs will be at the proxy server I asume like the certs for the others. I may copy the cert to the postfix server, but they will not be updated there, with out a schedule server for the copy scp or something like this. Or do yu know a better easyer solution. Unfortuatly the is only one IP 4 address. Rainer
Or, you can buy an SSL certificate from a cert authority. Such certificates can often be verified by email or by adding a TXT record in DNS, and they cost just a few euros per year.
"or use certbot/acme with DNS challenge instead of normal http challenge." did not found an option in the certbot client, did't search long, as it is not so urgend as other thing I'm in now. @till no would not buy a certificate if there no must Funny thing beside, my selfsigned cert was OK since years and now is only one who complains as it is unsecure, but they have no problem to send their mail unencryted, and so can be delivered. Rainer
Other than dns challenge suggested by @pyte, this may work too. You only have to edit renewal conf at the proxy server and added post hook to it, to automatically scp the certs upon renewal to your mail server.
@till addendum my few Euros are better invested in supporting you and your helpfull software, articles and support than investing in a cert from a commercial cert authority..
If it is possible to obtain the certificates on another server just automate the process with systemd. You can monitor the path to the certificate with a systemd path unit and the "PathModified" option. So that if there are changes to the file (e.g. if a new certficate is obtained) start a service unit that triggers a script to copy over the certificate to the mailserver. On the mailserver just do the same, a path unit that watches the path where the certificates get copied, and a service unit that runs a script which restarts postfix and dovecot. Code: [Unit] Description="Monitor the mailserver certificate files to trigger the copy script" [Path] PathModified=/root/.acme.sh/*.my-domain.tld/ Unit=le-copy-to-mailserver.service [Install] WantedBy=multi-user.target Code: [Unit] Description="Run script to copy over the certifcates" [Service] ExecStart=/etc/init.d/copy_to_mailserver.sh You then need the cript to run the scp command to copy over the certificates, and a similar setup on the mailserver to handle the restart of services when the certificate changed
