How do I properly issue Let's Encrypt certificate for my Postfix mail server? Right now I have a self-signed certificate and I get these messages it cannot be trusted.
I did certbot --nginx certonly -d mail.example.org and apparently it is self-signed.
Dan is correct - the --certonly option tells certbot to get the certificate but do nothing with it. The script will have told you where that certificate is now, most likely /etc/letsencrypt/live/mail.example.org, as files named cert.pem, chain.pem, fullchain.pem, and privkey.pem. You would go into configuration for Postfix, and change the certificate paths to point to those files. Once you've done that, of course, you would restart Postfix.
Let's Encrypt, since Certbot 2.0, issues ECC certificates by default. Some sending mail systems do not yet support those, but only RSA certificates.Therefore, to properly issue certificates for a Postfix mailserver, you would need two sets of certificate+key files:
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.example.com-ecdsa/privkey.pem,
/etc/letsencrypt/live/mail.example.com-ecdsa/fullchain.pem,
/etc/letsencrypt/live/mail.example.com-rsa/privkey.pem,
/etc/letsencrypt/live/mail.example.com-rsa/fullchain.pem
You can get them by commenting out key-type in /etc/letsencrypt/cli.ini and then issuing the certificates with the --key-type option in command line. That part is crucial, because the settings in cli.ini will override those in /etc/letsencrypt/renewal/*.conf, which will break things on the next automatic renewal. E.g.,
sudo certbot certonly \
--cert-name mail.example.com-ecdsa \
-d mail.example.com \
--key-type ecdsa
sudo certbot certonly
--cert-name mail.example.com-rsa
-d mail.example.com
--key-type rsa
A more elaborate answer:
