Using Let's Encrypt to secure outgoing Sendmail emails.


Last updated: November 15, 2017.

The mail-transfer program Sendmail can easily be configured for STARTTLS transport security using your Let's Encrypt credentials.

Consider also reading my article on email integrity and anti-spam/anti-spoofing with Sendmail.


1. Locate your Let's Encrypt directory.

sudo ls /etc/letsencrypt/live/example.com/

Replace example.com with your domain. The output should look like this:

cert.pem chain.pem fullchain.pem privkey.pem

Note: you need to have run letsencrypt first.


2. Modify sendmail.mc

sudo nano /etc/mail/sendmail.mc

dnl#
define(`confCACERT_PATH', `/etc/letsencrypt/live/example.com')dnl
define(`confCACERT', `/etc/letsencrypt/live/example.com/chain.pem')dnl
define(`confSERVER_CERT', `/etc/letsencrypt/live/example.com/cert.pem')dnl
define(`confSERVER_KEY', `/etc/letsencrypt/live/example.com/privkey.pem')dnl
dnl#

Append the above to the end of the file, replacing example.com with your domain.

This will also work with an ECDSA private key and Let's Encrypt.

dnl#
define(`confCACERT_PATH', `/etc/letsencrypt/ecdsa/example.com')dnl
define(`confCACERT', `/etc/letsencrypt/live/example.com/0001_chain.pem')dnl
define(`confSERVER_CERT', `/etc/letsencrypt/ecdsa/example.com/0000_cert.pem')dnl
define(`confSERVER_KEY', `/etc/letsencrypt/ecdsa/example.com/privkey.pem')dnl
dnl#

2. Reconfigure and restart Sendmail

sudo su

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

exit

sudo service sendmail restart



Comments are provided by Disqus. To respect user privacy, Disqus is only loaded on user prompt.

I recommend uBlock Origin to protect against Disqus tracking and advertising.