I'm trying to create a mail server, but I'm not able to connect to my DO droplet's domain, which I need to do to get a Let's Encrypt SSL certificate. It refuses conection. letsdebug.net says:
[My domain name] has an A (IPv4) record ([my droplet's IP address)) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
71ms: Experienced error: dial tcp [my droplet's IP]:80: connect: connection refused
So, I decided to try running sudo netstat -nlp which outputted the following:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN 2882/mysqld
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2882/mysqld
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 493/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 768/sshd: /usr/sbin
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 146987/master
tcp6 0 0 :::22 :::* LISTEN 768/sshd: /usr/sbin
tcp6 0 0 :::25 :::* LISTEN 146987/master
udp 0 0 127.0.0.53:53 0.0.0.0:* 493/systemd-resolve
raw6 0 0 :::58 :::* 7 490/systemd-network
raw6 0 0 :::58 :::* 7 490/systemd-network
And there is clearly nothing listening on port 80. How do I get something to listen to it? Do I need to install Nginx or something - namely set up a webserver? Why would I need to do that? Does this mean I need a web server built to install a mail server? I'm a complete novice when it comes to this stuff.
I am being told that it is only required for a Let's Encrypt certificate. In this tutorial, dovecot.pem is used for both the cert and key file. Will this suffice instead if I'm using Dovecot?
Update: no IP address found for my subdomain
On Michael Hampton's advice, I tried sudo certbot certonly --standalone -d mail.example.com putting in my own mail subdomain and have seemed to have opened another can of worms:
Detail: No valid IP addresses found for [my mail subdomain]
This is a bit confusing. Perhaps I have set my MX record wrong? I will list out my DNS records (I've blacked out my droplet's IP address and domain name as I have no clue if it is safe or not to share these things over the internet. If they are necessary to include and it's safe I have no problem unredacting this):
Here, the redacted bits in the 'Value' column all hide by droplet's IP address and the redacted bits in hostname hide my domain url.
You can use
certbotin standalone mode to obtain certificates for services other than a web site. For example:In this mode, certbot starts its own internal web server so that the HTTP challenge can be completed, and then stops it at the end.
Your private keys and certificates, or rather links to them which will remain the same even when the certificates are renewed later, will be in the
/etc/letsencrypt/livedirectory. You can then configure Postfix, Dovecot, or whatever you happen to be using, to find them there. For example, your certificate chain will be/etc/letsencrypt/live/mail.example.com/fullchain.pemand the private key will be/etc/letsencrypt/live/mail.example.com/privkey.pem.You need a web service (not necessarily a traditional web server) for HTTP1 authenticated Let’s Encrypt certificate automation. You don’t need one for mail per se. There are other ways to get certificates.
Mail server by no means requires a web server, these are two completely different services. However, obtaining a SSL certificate from Lets Encrypt obviously requires having a web server, as those certificates are issued for web servers.
You don't need an "official" certificate (like the one from Lets Encrypt) if you plan to use it only for mail server. You may perfectly well use self-signed certificates, as during SMTP trasaction the certificates are NOT checked between servers.