I have read some of the already open posts on this subject, but I have not yet been able to properly enable SSL on the Web.
And I would also like to enable SSL on the SMTP server.
Any tutorial or easy to understand method?
SSL for click tracking is handled by Postal but if you want SSL for the web ui and SMTP, you'll have to get your own certificate.
The easiest way is to use certbot and the webroot method with something like this:
certbot certonly --webroot --webroot-path /opt/postal/app/public --domains postal.yourorganisation.com
Certbot will tell you where the certificate is located and then you can specify that in your nginx configuration and postal.yml
Nginx:
ssl_certificate /etc/letsencrypt/live/postal.yourorganisation.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/postal.yourorganisation.com/privkey.pem;
Postal:
smtp_server:
tls_enabled: true
tls_certificate_path: /etc/letsencrypt/live/postal.yourorganisation.com/fullchain.pem
tls_private_key_path: /etc/letsencrypt/live/postal.yourorganisation.com/privkey.pem
Certbot will automatically renew the certificates so you don't have to worry about replacing them yourself. If you have your own certificate from another source, you can upload it to your server and specify the paths to it like the above.
Ooohh, thanks, it's working perfectly.
In case it helps someone looking at this: it took me some time to figure out that the nginx configuration referenced above happens in /etc/nginx/sites-available/default . Update the hostname in there too.
FYI, my certs renewed nicely with this method, however, I had to manually reload nginx via sudo systemctl reload nginx to get it to "see" the new cert after renewal.
If you're using certbot and its default automatic renewal method, I guess certbot will reload nginx.
In our experience, the cron job that certbot uses to generate the new certificates doesn't reload the services by default but adding in the necessary && systemctl reload ... to /etc/cron.d/certbot isn't a big task.
We also use certbot directly from pip to access some plugins which means the cron file doesn't get created so thats another reason to manage the cron file yourself.