<ol> <li> <p>Edit <code>/etc/dovecot/conf.d/10-ssl.conf</code> to enable SSL support:</p> <ol> <li> <p>Change "SSL" to be "required" to enforce the use of SSL:</p> <pre><code class="language-diff"> # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> - ssl = no + ssl = required</code></pre> </li> <li> <p>Designate the ssl certificate that includes the public key which is communicated to clients, and the private key to allow for the actual decryption of client messages - replacing <code>example.org</code> with your domain:</p> <pre><code class="language-diff"> # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf #ssl_cert = </etc/dovecot/dovecot.pem #ssl_key = </etc/dovecot/private/dovecot.pem + ssl_cert = </etc/certs/example.org/fullchain.pem + ssl_key = </etc/certs/example.org/privkey.pem</code></pre> <pre><code class="language-diff"> # DH parameters length to use. - #ssl_dh_parameters_length = 1024 + ssl_dh_parameters_length = 2048 # SSL protocols to use - #ssl_protocols = !SSLv3 + ssl_protocols = !SSLv3 # SSL ciphers to use - #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL + ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL # Prefer the server's order of ciphers over client's. - #ssl_prefer_server_ciphers = no + ssl_prefer_server_ciphers = yes</code></pre> </li> </ol> </li> <li> <p>Enable SSL for Postfix (the equivalent as for Dovecot described above) - replacing <code>example.org</code> with your domain:</p> <pre><code class="language-shell">postconf -e "smtp_tls_security_level=may" postconf -e "smtpd_tls_security_level=may" postconf -e "smtpd_tls_auth_only=yes" postconf -e "smtpd_tls_cert_file=/etc/certs/example.org/fullchain.pem" postconf -e "smtpd_tls_key_file=/etc/certs/example.org/privkey.pem"</code></pre> <blockquote> <p><em>-e</em> - Edit Postifix' main.cf (ensuring that the configuration change is not accidentally interpreted by the shell).</p> </blockquote> </li> <li> <p>Reload the configuration files into Postfix and Dovecot to effectuate the changes:</p> <pre><code class="language-shell">service postfix reload service dovecot reload</code></pre> </li> <li> <p>Create a weekly cron job reloading both postfix and dovecot to automate inclusion of renewed certificates by issuing <code>crontab -e</code>:</p> <pre><code class="language-shell">@weekly /usr/sbin/service postfix reload @weekly /usr/sbin/service dovecot reload</code></pre> </li> </ol>