Add ssl for just mail.domain

To add SSL for just mail.domain (i.e., secure only the mail server's hostname), you'll need to obtain an SSL certificate and configure your mail server to use it. Here's a step-by-step guide:

Obtain an SSL certificate

You can obtain an SSL certificate from a trusted Certificate Authority (CA) like Let's Encrypt, GlobalSign, or DigiCert. For this example, we'll use Let's Encrypt.

  1. Install the Let's Encrypt client (certbot) on your server:
    sudo apt-get update
sudo apt-get install certbot
  2. Run the following command to obtain a certificate for mail.domain:
    sudo certbot certonly --webroot --webroot-path=/var/www/html --email [email protected] --agree-tos --non-interactive --expand --domains -d mail.domain

    This command will obtain a certificate for mail.domain and store it in /etc/letsencrypt/live/mail.domain.

Configure your mail server to use the SSL certificate

The specific steps to configure your mail server will depend on the mail server software you're using. Here are some examples:

Postfix

  1. Create a new file in /etc/postfix/main.cf with the following contents:
    smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain/privkey.pem
  2. Restart Postfix:
    sudo service postfix restart

Exim

  1. Create a new file in /etc/exim4/conf.d/main with the following contents:
    tls_certificate = /etc/letsencrypt/live/mail.domain/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/mail.domain/privkey.pem
  2. Restart Exim:
    sudo service exim4 restart

Dovecot

  1. Create a new file in /etc/dovecot/dovecot.conf with the following contents:
    ssl_cert = </etc/letsencrypt/live/mail.domain/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.domain/privkey.pem
  2. Restart Dovecot:
    sudo service dovecot restart

Verify the SSL certificate

To verify that the SSL certificate is working correctly, you can use a tool like OpenSSL:

openssl s_client -connect mail.domain:465

This command should output the SSL certificate details, including the subject and issuer.

That's it! Your mail.domain hostname should now be secured with an SSL certificate.