|
2 | 2 |
|
3 | 3 | There are multiple options to enable SSL: |
4 | 4 |
|
5 | | -* using [letsencrypt](https://letsencrypt.org/) |
| 5 | +* using [letsencrypt](https://letsencrypt.org/) (recommended) |
6 | 6 | * using self-signed certificates with the provided tool |
7 | 7 |
|
8 | | -## let's encrypt |
9 | | - |
10 | | -To enable Let's Encrypt on your mail server, you have to add en environment variable `DMS_SSL` with value `letsencrypt` (see `docker-compose.yml.dist`) |
11 | | -You also have to mount your `letsencrypt` folder to `/etc/letsencrypt` and it should look like that: |
12 | | - |
13 | | - ├── etc |
14 | | - │ └── letsencrypt |
15 | | - │ ├── accounts |
16 | | - │ ├── archive |
17 | | - │ │ └── mail.domain.com |
18 | | - │ │ ├── cert1.pem |
19 | | - │ │ ├── chain1.pem |
20 | | - │ │ ├── fullchain1.pem |
21 | | - │ │ └── privkey1.pem |
22 | | - │ ├── csr |
23 | | - │ ├── keys |
24 | | - │ ├── live |
25 | | - │ │ └── mail.domain.com |
26 | | - │ │ ├── cert.pem -> ../../archive/mail.domain.com/cert1.pem |
27 | | - │ │ ├── chain.pem -> ../../archive/mail.domain.com/chain1.pem |
28 | | - │ │ ├── combined.pem |
29 | | - │ │ ├── fullchain.pem -> ../../archive/mail.domain.com/fullchain1.pem |
30 | | - │ │ └── privkey.pem -> ../../archive/mail.domain.com/privkey1.pem |
31 | | - │ └── renewal |
32 | | - |
33 | | -You don't have anything else to do. |
| 8 | +After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver). |
| 9 | + |
| 10 | +## let's encrypt (recommended) |
| 11 | + |
| 12 | +To enable Let's Encrypt on your mail server, you have to: |
| 13 | + |
| 14 | +* get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt) |
| 15 | +* add an environment variable `DMS_SSL` with value `letsencrypt` (see `docker-compose.yml.dist`) |
| 16 | +* mount your `letsencrypt` folder to `/etc/letsencrypt` |
| 17 | + |
| 18 | +You don't have anything else to do. Enjoy. |
34 | 19 |
|
35 | 20 | ## self signed certificates |
36 | 21 |
|
37 | 22 | You can easily generate a self-signed SSL certificate by using the following command: |
38 | 23 |
|
39 | | - docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate |
40 | | - |
41 | | - # Press enter |
42 | | - # Enter a password when needed |
43 | | - # Fill information like Country, Organisation name |
44 | | - # Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate. |
45 | | - # They HAVE to be different, otherwise you'll get a `TXT_DB error number 2` |
46 | | - # Don't fill extras |
47 | | - # Enter same password when needed |
48 | | - # Sign the certificate? [y/n]:y |
49 | | - # 1 out of 1 certificate requests certified, commit? [y/n]y |
50 | | - |
51 | | - # will generate: |
52 | | - # postfix/ssl/mail.my-domain.com-key.pem (used in postfix) |
53 | | - # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files) |
54 | | - # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix) |
55 | | - # postfix/ssl/mail.my-domain.com-combined.pem (used in courier) |
56 | | - # postfix/ssl/demoCA/cacert.pem (certificate authority) |
| 24 | + docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate |
| 25 | + |
| 26 | + # Press enter |
| 27 | + # Enter a password when needed |
| 28 | + # Fill information like Country, Organisation name |
| 29 | + # Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate. |
| 30 | + # They HAVE to be different, otherwise you'll get a `TXT_DB error number 2` |
| 31 | + # Don't fill extras |
| 32 | + # Enter same password when needed |
| 33 | + # Sign the certificate? [y/n]:y |
| 34 | + # 1 out of 1 certificate requests certified, commit? [y/n]y |
| 35 | + |
| 36 | + # will generate: |
| 37 | + # postfix/ssl/mail.my-domain.com-key.pem (used in postfix) |
| 38 | + # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files) |
| 39 | + # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix) |
| 40 | + # postfix/ssl/mail.my-domain.com-combined.pem (used in courier) |
| 41 | + # postfix/ssl/demoCA/cacert.pem (certificate authority) |
57 | 42 |
|
58 | 43 | Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument. |
59 | 44 | Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml). |
60 | 45 |
|
61 | | -If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder. |
| 46 | +To use the certificate: |
62 | 47 |
|
| 48 | +* add an `DMS_SSL=self-signed` to your container environment variables |
| 49 | +* if a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder. |
0 commit comments