The same Let’s Encrypt certificate that secures your website can also encrypt your email connections. This guide covers configuring TLS for the most common email servers.
Why email needs TLS
Without TLS, email traffic (including passwords and message content) is sent in plaintext:
- SMTP (sending mail) — port 25/587 unencrypted by default
- IMAP (reading mail) — port 143 unencrypted by default
- POP3 (reading mail) — port 110 unencrypted by default
TLS encrypts these connections the same way HTTPS encrypts web traffic. Modern email clients expect TLS and will warn users about unencrypted connections.
Certificate setup
You can use the same certificate files from GetHTTPS for both your web server and email server — as long as the certificate covers the hostname your email server uses (e.g., mail.example.com).
Get a certificate that covers your mail hostname:
- In GetHTTPS, add
mail.example.com(or whatever hostname your MX record points to) - You can include it alongside your web domain:
example.com+www.example.com+mail.example.com - Download the files:
fullchain.pem,privkey.pem
Postfix (SMTP)
Edit /etc/postfix/main.cf:
# TLS for outbound mail (sending)
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# TLS for inbound mail (receiving) — STARTTLS on port 25/587
smtpd_tls_cert_file = /etc/ssl/gethttps/fullchain.pem
smtpd_tls_key_file = /etc/ssl/gethttps/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_loglevel = 1For submission (port 587), edit /etc/postfix/master.cf:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yesReload: sudo systemctl reload postfix
Dovecot (IMAP/POP3)
Edit /etc/dovecot/conf.d/10-ssl.conf:
ssl = required
ssl_cert = </etc/ssl/gethttps/fullchain.pem
ssl_key = </etc/ssl/gethttps/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = noNote the < before the file path — Dovecot uses this syntax to read file contents inline.
Reload: sudo systemctl reload dovecot
IMAP/POP3 ports
| Service | Unencrypted | STARTTLS | Implicit TLS (recommended) |
|---|---|---|---|
| IMAP | 143 | 143 (upgrade) | 993 |
| POP3 | 110 | 110 (upgrade) | 995 |
| SMTP submission | 587 | 587 (upgrade) | 465 (smtps) |
Modern email clients should connect to the implicit TLS ports (993, 995, 465). Configure these in Dovecot and Postfix alongside the STARTTLS ports.
Verify email TLS
# Test SMTP STARTTLS
openssl s_client -connect mail.example.com:587 -starttls smtp
# Test IMAP implicit TLS
openssl s_client -connect mail.example.com:993
# Test SMTP implicit TLS (smtps)
openssl s_client -connect mail.example.com:465Look for Verify return code: 0 (ok) and your certificate details.
Renewal
When you renew your Let’s Encrypt certificate, replace the files and reload both your web server and email server:
sudo systemctl reload nginx # web
sudo systemctl reload postfix # SMTP
sudo systemctl reload dovecot # IMAPIf using Certbot with --deploy-hook, add the email server reloads to the hook script.
Frequently asked questions
Can I use the same certificate for web and email?
Yes — as long as the certificate’s SAN (Subject Alternative Name) includes the email server’s hostname. If your MX points to mail.example.com, include that name when requesting the certificate.
Does Let’s Encrypt work for email servers?
Yes. Let’s Encrypt certificates are standard X.509 certificates that work with any TLS-capable service — not just web servers. The certificate doesn’t know whether it’s used for HTTPS, SMTP, IMAP, or anything else.
Do I need a separate certificate for each email protocol?
No. One certificate works for SMTP (Postfix), IMAP (Dovecot), and your web server simultaneously. Point all services to the same fullchain.pem and privkey.pem.
What about Microsoft Exchange?
Exchange uses PFX/PKCS#12 format. Convert your PEM files to PFX, then import via the Exchange Admin Center → Servers → Certificates → Import. The process is similar to IIS certificate installation.