Use Let's Encrypt certificate for mail server

lets-encrypt postfix email-server

Solution 1:

IMHO: Yes, LE is ready for production.

SMTP

Letsencrypt works great for Mutual-TLS communications between mail servers. Many servers support Opportunistic TLS with Self-Signed certificates, in rare cases will you find an MTA that requires either publicly signed or DANE secured TLS connections.

I use LE Certs on all my postfix servers, and checktls.com gives me all green lights! CheckTLS Results

[000.100]       Connected to server
[000.405]   <-- 220 vegas.localdomain ESMTP Postfix
[000.405]       We are allowed to connect
[000.406]   --> EHLO checktls.com
[000.500]   <-- 250-vegas.localdomain
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.500]       We can use this server
[000.501]       TLS is an option on this server
[000.501]   --> STARTTLS
[000.595]   <-- 220 2.0.0 Ready to start TLS
[000.596]       STARTTLS command works on this server
[000.827]       SSLVersion in use: TLSv1.2
[000.827]       Cipher in use: ECDHE-RSA-AES128-SHA256
[000.828]       Connection converted to SSL
[000.855]       
Certificate 1 of 3 in chain:
subject= /CN=vegas.jacobdevans.com
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                  
[000.882]       
Certificate 2 of 3 in chain:
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3                                                    
[000.908]       
Certificate 3 of 3 in chain:
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3                                                      
[000.909]       Cert VALIDATED: ok
[000.909]       Cert Hostname VERIFIED (vegas.jacobdevans.com = vegas.jacobdevans.com)
[000.909]   ~~> EHLO checktls.com
[001.006]   <~~ 250-vegas.localdomain
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.007]       TLS successfully started on this server

POP/IMAP

Letsencrypt certs are Cross-Signed, so even if the OS doesn't support the root, it may already trust the root cross-signed cert. Unlike firefox, Outlook uses the internal CA Trust, which you can control with GPO's and use any CA you like (such as internally signed CAs)

https://letsencrypt.org/certificates/

Related

Samba not working on LAN without internet connection
Hyper-V server 2016 and 2012R2 Replica compatibility
How to close orphaned PowerShell sessions?
Using bash shell when logging into FreeBSD ssh
docker-compose exec composer as user
Why are Google Cloud Compute Engine WAN speeds less than what Google has documented?
postgresql track counts and autovacuum is not working
How can I ignore a Subversion commit hook?
storage for virtualization: 10x15k sas w/ 2gb cache OR 10x10k sas w/ 4gb cache
Understand Exchange message rate limit - 4.4.2 Message submission rate for this client has exceeded the configured limit
SQL Server on Ubuntu
Why is there no php.ini file when I install PHP in a docker container?