Is a web server required to run a mail server?

sangstar asked:

I’m trying to create a mail server, but I’m not able to connect to my DO droplet’s domain, which I need to do to get a Let’s Encrypt SSL certificate. It refuses conection. letsdebug.net says:

[My domain name] has an A (IPv4) record ([my droplet’s IP address)) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

71ms: Experienced error: dial tcp [my droplet’s IP]:80: connect: connection refused

So, I decided to try running sudo netstat -nlp which outputted the following:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      2882/mysqld         
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      2882/mysqld         
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      493/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      768/sshd: /usr/sbin 
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      146987/master       
tcp6       0      0 :::22                   :::*                    LISTEN      768/sshd: /usr/sbin 
tcp6       0      0 :::25                   :::*                    LISTEN      146987/master       
udp        0      0 127.0.0.53:53           0.0.0.0:*                           493/systemd-resolve 
raw6       0      0 :::58                   :::*                    7           490/systemd-network 
raw6       0      0 :::58                   :::*                    7           490/systemd-network 

And there is clearly nothing listening on port 80. How do I get something to listen to it? Do I need to install Nginx or something – namely set up a webserver? Why would I need to do that? Does this mean I need a web server built to install a mail server? I’m a complete novice when it comes to this stuff.

I am being told that it is only required for a Let’s Encrypt certificate. In this tutorial, dovecot.pem is used for both the cert and key file. Will this suffice instead if I’m using Dovecot?

Update: no IP address found for my subdomain

On Michael Hampton’s advice, I tried sudo certbot certonly --standalone -d mail.example.com putting in my own mail subdomain and have seemed to have opened another can of worms:

   Detail: No valid IP addresses found for [my mail subdomain]

This is a bit confusing. Perhaps I have set my MX record wrong? I will list out my DNS records (I’ve blacked out my droplet’s IP address and domain name as I have no clue if it is safe or not to share these things over the internet. If they are necessary to include and it’s safe I have no problem unredacting this):

My droplet’s DNS records

Here, the redacted bits in the ‘Value’ column all hide by droplet’s IP address and the redacted bits in hostname hide my domain url.

My answer:


You can use certbot in standalone mode to obtain certificates for services other than a web site. For example:

sudo certbot certonly --standalone -d mail.example.com

In this mode, certbot starts its own internal web server so that the HTTP challenge can be completed, and then stops it at the end.

Your private keys and certificates, or rather links to them which will remain the same even when the certificates are renewed later, will be in the /etc/letsencrypt/live directory. You can then configure Postfix, Dovecot, or whatever you happen to be using, to find them there. For example, your certificate chain will be /etc/letsencrypt/live/mail.example.com/fullchain.pem and the private key will be /etc/letsencrypt/live/mail.example.com/privkey.pem.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.