configure-tls.md

How to Configure TLS Certificates

By default the mailserver uses a shared data-tls volume with internally generated certificates. To use external certificates (e.g. Let’s Encrypt), mount certificate and key files into the MTA and MDA containers.

Certificate locations

• MDA (Dovecot): /etc/dovecot/tls/tls.crt, /etc/dovecot/tls/tls.key
• MTA (Postfix): /etc/postfix/tls/tls.crt, /etc/postfix/tls/tls.key

Steps (Docker Compose)

1. Mount certificates in MDA

In deploy/compose/mda.yaml, replace the data-tls volume with file mounts:

volumes:
  - data-mail:/srv/vmail
  - /path/to/certificate.crt:/etc/dovecot/tls/tls.crt:ro
  - /path/to/private.key:/etc/dovecot/tls/tls.key:ro

2. Mount certificates in MTA

In deploy/compose/mta.yaml, replace the data-tls volume with file mounts:

volumes:
  - /path/to/certificate.crt:/etc/postfix/tls/tls.crt:ro
  - /path/to/private.key:/etc/postfix/tls/tls.key:ro

3. Remove or disable the SSL service (optional)

If you no longer need internal certificate generation, remove the SSL service from your compose stack so it does not overwrite or conflict with your certificates.

4. Restart MTA and MDA

bin/production.sh up -d mta mda

Let’s Encrypt example

If certificates are in /etc/letsencrypt/live/yourdomain.com/:

# mda
- /etc/letsencrypt/live/yourdomain.com/fullchain.pem:/etc/dovecot/tls/tls.crt:ro
- /etc/letsencrypt/live/yourdomain.com/privkey.pem:/etc/dovecot/tls/tls.key:ro

# mta
- /etc/letsencrypt/live/yourdomain.com/fullchain.pem:/etc/postfix/tls/tls.crt:ro
- /etc/letsencrypt/live/yourdomain.com/privkey.pem:/etc/postfix/tls/tls.key:ro

Use fullchain.pem so the chain is complete.

Requirements

• Format: PEM (.crt, .pem, .key).
• Permissions: Certificate and key readable by the container user; key with restricted permissions (e.g. 600).

If TLS errors appear, check paths and permissions and review MTA/MDA logs: bin/production.sh logs mta, bin/production.sh logs mda.