How to i SSL encrypt email server?


(DovahMerith) #1

So what im trying to do, is implement caddyserver as something like a firewall, where it applies SSL to the EMAIL server ports (IMAP, POP3, SMTP) and the likes.

how would i do this?


(Matthew Fay) #2

Caddy’s HTTP server can’t do this for you, but there is a server type plugin, net, which can proxy arbitrary UDP and TCP content and leverage the TLS capabilities of Caddy. Check out the documentation:

https://caddyserver.com/docs/net


(Matthew Rhodes) #3

You should always use the built in features of the mail server, it is entirely possible to still use Caddy for the letsencrypt implementation. Peronsally I run webmail on the same domain that I accept SMTP and IMAP traffic, because its the same subdomain I just use the certificate Caddy generates in my mail server config. This works extremely well.


(Paul Hodges) #4

I have a script in my Windows server which copies the mail.mydomain certificate from Caddy into the Kerio mailserver when it is updated, and restarts the mailserver which then uses the updated certificate.

Paul


(Paul Fox) #5

To be sure I understand what you’ve done: your SMTP server (postfix, perhaps) has the same hostname as your Caddy web server, so you simply configure postfix with the full path to the certificate fetched by Caddy, and it Just Works. Is that correct?

On my server, Caddy and postfix serve different hostnames, but share an IP address. I think I can simply start an empty Caddy server on an unused port using the mail server’s hostname, which will cause Caddy to get a new certificate. I can then point to that from the postfix config. Does that sound right?


(Matthew Rhodes) #6

This is exactly what I’ve done yes. I host my webmail on the same subdomain that the mail ports come through, in your case an empty caddy page to get the certs would work just fine. You could also just use the letsencrypt CLI (but I think caddy is way easier) you will need to set some permissions on the SSL certs after caddy generates them in order for your mail server to get them correctly.


(Paul Fox) #7

Thanks for the confirmation. I had already gone ahead and tried it, and indeed, it works like a charm. Using caddy to do the cert management saves me from remembering yet another set of sysadmin setup, at the cost, I guess, of needing to always run Caddy on the mail server. I can live with that for now.

(I didn’t need to adjust any permissions. I’ll take a look and see why/why not.)


(Matthew Rhodes) #8

It’s probably because I run my mail server a custom unprivileged user and group called vmail instead of whatever the default is.