How to i SSL encrypt email server?

So what im trying to do, is implement caddyserver as something like a firewall, where it applies SSL to the EMAIL server ports (IMAP, POP3, SMTP) and the likes.

how would i do this?

Caddy’s HTTP server can’t do this for you, but there is a server type plugin, net, which can proxy arbitrary UDP and TCP content and leverage the TLS capabilities of Caddy. Check out the documentation:

1 Like

You should always use the built in features of the mail server, it is entirely possible to still use Caddy for the letsencrypt implementation. Peronsally I run webmail on the same domain that I accept SMTP and IMAP traffic, because its the same subdomain I just use the certificate Caddy generates in my mail server config. This works extremely well.

I have a script in my Windows server which copies the mail.mydomain certificate from Caddy into the Kerio mailserver when it is updated, and restarts the mailserver which then uses the updated certificate.


1 Like

To be sure I understand what you’ve done: your SMTP server (postfix, perhaps) has the same hostname as your Caddy web server, so you simply configure postfix with the full path to the certificate fetched by Caddy, and it Just Works. Is that correct?

On my server, Caddy and postfix serve different hostnames, but share an IP address. I think I can simply start an empty Caddy server on an unused port using the mail server’s hostname, which will cause Caddy to get a new certificate. I can then point to that from the postfix config. Does that sound right?

This is exactly what I’ve done yes. I host my webmail on the same subdomain that the mail ports come through, in your case an empty caddy page to get the certs would work just fine. You could also just use the letsencrypt CLI (but I think caddy is way easier) you will need to set some permissions on the SSL certs after caddy generates them in order for your mail server to get them correctly.

Thanks for the confirmation. I had already gone ahead and tried it, and indeed, it works like a charm. Using caddy to do the cert management saves me from remembering yet another set of sysadmin setup, at the cost, I guess, of needing to always run Caddy on the mail server. I can live with that for now.

(I didn’t need to adjust any permissions. I’ll take a look and see why/why not.)

It’s probably because I run my mail server a custom unprivileged user and group called vmail instead of whatever the default is.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.