Published on December 29, 2020
Installation
Install certbot:
apk add certbot certbot-nginx
certbot --nginx -d example.com -d www.example.com
Renewing the Certificates
To test if the certificate renewal works, you can perform a dry run:
certbot renew --dry-run
To renew the certificates, run the following:
certbot renew
Add a DNS CAA record for your domain:
@ CAA 0 issue "letsencrypt.org"
Setting up Nginx
Generate the Diffie-Hellman parameters:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Edit /etc/nginx/nginx.conf:
http {
include /etc/nginx/sites-enabled/*;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers !ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
}
Edit your per site-configurations in /etc/nginx/sites-available to enable HTTPS:
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name .example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
Allow TCP traffic on the HTTPS port (443):
ufw allow https
Reload the Nginx configuration:
/etc/init.d/nginx reload
Setting up Postfix
Edit /etc/postfix/main.cf:
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
tls_random_source = dev:/dev/urandom
Edit /etc/postfix/master.cf:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sals_auth_enable=yes
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
Allow TCP traffic on the SMTPS and Submission ports (port 465 and 587):
ufw allow smtps
ufw allow 587/tcp
Reload the Postfix configuration:
/etc/init.d/postfix reload
Add the following DNS records:
_submission._tcp SRV 587 smtp.example.com.
Setting up Dovecot
Generate the Diffie-Hellman parameters:
openssl dhparam -out /etc/dovecot/dh.pem 4096
Edit /etc/dovecot/conf.d/10-ssl.conf:
ssl = required
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/example.com/privkey.pem
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
Allow TCP traffic on the IMAPS and POP3S ports (port 993 and 995):
ufw allow imaps
ufw allow pop3s
Reload the Dovecot configuration:
/etc/init.d/dovecot reload
Add the following DNS records:
_imaps._tcp SRV 993 imap.example.com.
_pop3s._tcp SRV 995 pop3.example.com.
Testing
Use OpenSSL to test the connection:
openssl s_client -connect imap -connect example.com:443
openssl s_client -starttls smtp -connect mail.example.com:587
openssl s_client -starttls imap -connect mail.example.com:143
openssl s_client -connect mail.example.com:993
[ #alpine ]
If you like my work or if my work has been useful to you in any way, then feel free to donate me a cup of coffee. Any donation is much appreciated!