Is a web server required to run a mail server?
I'm trying to create a mail server, but I'm not able to connect to my DO droplet's domain, which I need to do to get a Let's Encrypt SSL certificate. It refuses conection. letsdebug.net says:
[My domain name] has an A (IPv4) record ([my droplet's IP address)) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
71ms: Experienced error: dial tcp [my droplet's IP]:80: connect: connection refused
So, I decided to try running sudo netstat -nlp
which outputted the following:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN 2882/mysqld
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2882/mysqld
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 493/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 768/sshd: /usr/sbin
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 146987/master
tcp6 0 0 :::22 :::* LISTEN 768/sshd: /usr/sbin
tcp6 0 0 :::25 :::* LISTEN 146987/master
udp 0 0 127.0.0.53:53 0.0.0.0:* 493/systemd-resolve
raw6 0 0 :::58 :::* 7 490/systemd-network
raw6 0 0 :::58 :::* 7 490/systemd-network
And there is clearly nothing listening on port 80. How do I get something to listen to it? Do I need to install Nginx or something - namely set up a webserver? Why would I need to do that? Does this mean I need a web server built to install a mail server? I'm a complete novice when it comes to this stuff.
I am being told that it is only required for a Let's Encrypt certificate. In this tutorial, dovecot.pem
is used for both the cert and key file. Will this suffice instead if I'm using Dovecot?
Update: no IP address found for my subdomain
On Michael Hampton's advice, I tried sudo certbot certonly --standalone -d mail.example.com
putting in my own mail subdomain and have seemed to have opened another can of worms:
Detail: No valid IP addresses found for [my mail subdomain]
This is a bit confusing. Perhaps I have set my MX record wrong? I will list out my DNS records (I've blacked out my droplet's IP address and domain name as I have no clue if it is safe or not to share these things over the internet. If they are necessary to include and it's safe I have no problem unredacting this):
My droplet's DNS records
Here, the redacted bits in the 'Value' column all hide by droplet's IP address and the redacted bits in hostname hide my domain url.
Solution 1:
You can use certbot
in standalone mode to obtain certificates for services other than a web site. For example:
sudo certbot certonly --standalone -d mail.example.com
In this mode, certbot starts its own internal web server so that the HTTP challenge can be completed, and then stops it at the end.
Your private keys and certificates, or rather links to them which will remain the same even when the certificates are renewed later, will be in the /etc/letsencrypt/live
directory. You can then configure Postfix, Dovecot, or whatever you happen to be using, to find them there. For example, your certificate chain will be /etc/letsencrypt/live/mail.example.com/fullchain.pem
and the private key will be /etc/letsencrypt/live/mail.example.com/privkey.pem
.