Add ssl for just mail.domain
To add SSL for just mail.domain
(i.e., secure only the mail server's hostname), you'll need to obtain an SSL certificate and configure your mail server to use it. Here's a step-by-step guide:
Obtain an SSL certificate
You can obtain an SSL certificate from a trusted Certificate Authority (CA) like Let's Encrypt, GlobalSign, or DigiCert. For this example, we'll use Let's Encrypt.
- Install the Let's Encrypt client (certbot) on your server:
sudo apt-get update sudo apt-get install certbot
- Run the following command to obtain a certificate for
mail.domain
:sudo certbot certonly --webroot --webroot-path=/var/www/html --email [email protected] --agree-tos --non-interactive --expand --domains -d mail.domain
This command will obtain a certificate for
mail.domain
and store it in/etc/letsencrypt/live/mail.domain
.
Configure your mail server to use the SSL certificate
The specific steps to configure your mail server will depend on the mail server software you're using. Here are some examples:
Postfix
- Create a new file in
/etc/postfix/main.cf
with the following contents:smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain/privkey.pem
- Restart Postfix:
sudo service postfix restart
Exim
- Create a new file in
/etc/exim4/conf.d/main
with the following contents:tls_certificate = /etc/letsencrypt/live/mail.domain/fullchain.pem tls_privatekey = /etc/letsencrypt/live/mail.domain/privkey.pem
- Restart Exim:
sudo service exim4 restart
Dovecot
- Create a new file in
/etc/dovecot/dovecot.conf
with the following contents:ssl_cert = </etc/letsencrypt/live/mail.domain/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.domain/privkey.pem
- Restart Dovecot:
sudo service dovecot restart
Verify the SSL certificate
To verify that the SSL certificate is working correctly, you can use a tool like OpenSSL:
openssl s_client -connect mail.domain:465
This command should output the SSL certificate details, including the subject and issuer.
That's it! Your mail.domain
hostname should now be secured with an SSL certificate.