What is AutoInstall SSL™?

A server agent that automates your entire SSL certificate lifecycle. You set it up once, and it takes care of every step from there. At SSL Dragon, it is sold as a bundle with domain validated (DV) certificates from RapidSSL or GeoTrust.

How AutoInstall SSL™ Works

Install the agent with one terminal command, run the certificate install command with your token, and you’re done. The full four-step walkthrough is in “How AutoInstall SSL™ Works” above.

Which SSL certificates are compatible?

The tool supports single-domain and wildcard DV certificates from RapidSSL and GeoTrust. SSL Dragon offers four bundles: RapidSSL Standard + AutoInstall, RapidSSL Wildcard + AutoInstall, GeoTrust QuickSSL Premium + AutoInstall, and GeoTrust QuickSSL Premium Wildcard + AutoInstall.

What servers and operating systems are supported?

Linux (Ubuntu, Debian, CentOS) with Apache or NGINX, and Windows Server (2016–2025) with IIS. Server-level access via SSH or RDP is a prerequisite. Cloud VMs from AWS, Azure, GCP, and DigitalOcean are all compatible. Full details are listed in “Supported Platforms and Servers” above.

Does it work with shared hosting?

No. Shared hosting lacks the server-level access the agent depends on. It works only where you have root or admin privileges. See “Environments Not Supported” above, or visit our SSL installation guides for manual setup options.

How is AutoInstall SSL™ different from Let’s Encrypt or Certbot?

The key differences are warranty coverage (up to $500,000), a CA-issued site seal, 24/7 support, and a managed agent that requires no ongoing maintenance. The full side-by-side breakdown is in the comparison section above. SSL Dragon’s ACME SSL Certificates page covers the alternative protocol-based approach.

How much do the bundles cost?

Starting at $23/yr (RapidSSL Standard + AutoInstall) up to $285/yr (GeoTrust QuickSSL Premium Wildcard + AutoInstall). Every bundle includes both the certificate and the automation agent for one year. See all four options in the pricing section above.

Why is SSL certificate automation becoming necessary?

Maximum certificate validity is dropping to 200 days (March 2026), 100 days (2027), and a 47-day maximum (2029) under Ballot SC-081v3. Domain validation reuse shrinks to 10 days on the same schedule. Renewing by hand at that frequency is unsustainable.

Are wildcard certificates supported?

Yes. Both the RapidSSL Wildcard + AutoInstall and GeoTrust QuickSSL Premium Wildcard + AutoInstall bundles cover unlimited subdomains on a single level (for example, shop.example.com, mail.example.com, app.example.com). Wildcard certificates require DNS-based validation, which the agent handles automatically for supported DNS hosts.

Can I switch if I already have an SSL certificate from another provider?

Yes. The bundles include a new SSL certificate alongside the automation agent. If you currently hold a certificate from another provider, you can transition when your existing certificate comes up for renewal. Once configured, the agent manages all future renewals on its own.

How to Install an SSL Certificate on Postfix

Last updated on June 10th, 2026 by Denis Graur

In this tutorial, you will learn how to install an SSL/TLS certificate on Postfix, the popular Linux mail transfer agent.

We also recorded a video that walks you through the entire process. Watch it below, or keep reading for the text version.

Generate a CSR code on Postfix

If you have already generated your CSR code and only need the installation steps, skip ahead to Install an SSL Certificate on Postfix.

To obtain an SSL certificate from a trusted CA (Certificate Authority), you must submit a CSR (Certificate Signing Request). A CSR is a block of encoded text that contains your contact and organization details. You have two options:

Use our CSR Generator to create the CSR automatically.
Follow our step-by-step tutorial on how to generate a CSR in Postfix.

During the order process with your SSL vendor, open the CSR file in any plain-text editor and copy-paste the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, into the corresponding box. Once the CA validates your request and issues the certificate, continue with the installation below.

Install an SSL certificate on Postfix

After the CA validates your request and sends the certificate files to your inbox, you can begin the installation.

Step 1: Prepare your SSL files

Postfix uses SSL/TLS certificates in X.509 format. A correct installation needs three files:

Your private key, generated together with the CSR on your server (for example privkey.key).
Your primary SSL certificate, the file inside the ZIP archive the CA emailed you. In this guide we’ll refer to it as server.crt.
The intermediate certificate(s), the CA bundle from the same ZIP archive. We’ll refer to it as intermediate.pem.

You can keep all three files in a single directory, for example /etc/postfix/. Make sure the private key is readable only by root:

sudo chmod 600 /etc/postfix/privkey.key

Step 2: Build the certificate chain

How you assemble the files depends on your Postfix version. Check it first:

postconf mail_version

Recommended (Postfix 3.4 and newer)

Create one chain file that contains the private key, the server certificate, and the intermediate(s), in exactly this order:

cat /path/to/privkey.key /path/to/server.crt /path/to/intermediate.pem > /etc/postfix/rsachain.pem

This modern method avoids certificate-rollover issues and works cleanly with Postfix’s smtpd_tls_chain_files directive. Protect the chain file the same way as the key, since it contains your private key:

sudo chmod 600 /etc/postfix/rsachain.pem

Alternative (all Postfix versions)

If you run a Postfix version older than 3.4, keep the key separate and combine only the server certificate with the intermediate(s):

cat /path/to/server.crt /path/to/intermediate.pem > /etc/postfix/server.pem

You’ll reference this bundle and the private key separately in the configuration below.

Step 3: Configure Postfix

Open the main configuration file /etc/postfix/main.cf and choose the style that matches your setup.

Option A: Postfix 3.4 or newer (recommended). Point Postfix at the single chain file you built:

smtpd_tls_chain_files = /etc/postfix/rsachain.pem
smtpd_tls_security_level = may

Option B: legacy (Postfix older than 3.4). Reference the certificate bundle and key separately:

smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = /etc/postfix/privkey.key
smtpd_tls_security_level = may

A few notes on these directives:

smtpd_tls_security_level = may enables opportunistic TLS for inbound mail on port 25. This is the correct setting for a public MX server: it advertises STARTTLS to senders that support it, while still accepting plain connections from those that don’t. Do not set it to encrypt on a public MX, as that would reject legitimate mail from plain-only senders. (The old smtpd_use_tls = yes switch is deprecated; smtpd_tls_security_level replaces it.)
Use a full-chain certificate (your certificate plus the intermediates), whether you deliver it via smtpd_tls_chain_files (Option A) or smtpd_tls_cert_file (Option B). Serving only the leaf certificate causes chain-validation failures on the receiving end.
Modern Postfix already disables SSLv2, SSLv3, and weak ciphers by default, so you don’t need extra exclusion lists for inbound port-25 traffic.

Secure the submission service (port 587)

When your own users send mail through Postfix (via Outlook, Thunderbird, Apple Mail, and so on), they connect on the submission port 587, not port 25, which is reserved for server-to-server delivery. Because only your authenticated users use this port, you can safely enforce stricter rules: require TLS and set a minimum protocol of TLS 1.2.

Open /etc/postfix/master.cf, make sure the submission service is enabled, and add the overrides below:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_mandatory_protocols=>=TLSv1.2

A couple of details that trip people up:

smtpd_tls_mandatory_protocols only takes effect when the security level is encrypt (mandatory TLS), which is exactly the case here on port 587. For opportunistic TLS on port 25 (security level may), the equivalent knob would be smtpd_tls_protocols instead, but on a public MX you generally leave that at Postfix’s defaults so you don’t turn away older senders.
The compact >=TLSv1.2 syntax requires Postfix 3.6 or newer and must have no space between >= and the version. On Postfix 3.4 or 3.5, use the exclusion form instead: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1.
In master.cf, there is no space around the = in an -o override (for example -o smtpd_tls_security_level=encrypt), whereas in main.cf you write key = value with spaces.

Optional: implicit TLS on port 465. Many modern clients prefer port 465 (SMTPS / “submissions”), which wraps the whole session in TLS from the start. RFC 8314 endorses it alongside 587. To offer it, enable the smtps service in master.cf with wrapper mode:

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Step 4: Reload Postfix

Before reloading, it’s good practice to check the configuration for syntax mistakes:

sudo postfix check

If that returns nothing, apply the changes. A reload re-reads the configuration without interrupting active connections:

sudo systemctl reload postfix

On systems without systemd, the equivalent command is:

sudo postfix reload

Step 5: Verify the certificate

Confirm that Postfix is serving the correct certificate and chain with OpenSSL. Replace yourdomain.com with your mail server’s hostname:

openssl s_client -starttls smtp -connect yourdomain.com:25 -servername yourdomain.com </dev/null \
| openssl x509 -noout -issuer -subject -dates

The output should show your server certificate’s subject, its issuer (the CA), and the validity dates. To test the submission service instead, change the port to 587 (it also uses STARTTLS) or, for the implicit-TLS port 465, drop -starttls smtp and connect to port 465 directly. Congratulations, you’ve successfully installed an SSL certificate on Postfix.

Test your SSL installation

After installing the certificate, it’s wise to scan your configuration for errors or vulnerabilities. Our SSL Checker give you instant reports on every aspect of your certificate and its setup, so you can confirm the chain is complete and the protocols are configured correctly.

Where to buy the best SSL certificate for Postfix?

You’ve reached the right place. At SSL Dragon, we offer one of the widest ranges of SSL products at some of the lowest prices on the market, and all our certificates are compatible with the Postfix mail transfer agent.

Get an SSL certificate now

Not sure which certificate to choose? Our SSL Wizard make it quick and easy to find the right product for your mail server.

Frequently Asked Questions

Which file does Postfix use for the SSL certificate?

TLS is configured in /etc/postfix/main.cf. On Postfix 3.4 and newer, the recommended directive is smtpd_tls_chain_files, which points to a single PEM file holding the private key, server certificate, and intermediates. On older versions, you instead set smtpd_tls_cert_file (a full-chain certificate) and smtpd_tls_key_file (the private key) separately. Per-service overrides for ports 587 and 465 live in /etc/postfix/master.cf.

What is the correct order for the Postfix chain file?

For smtpd_tls_chain_files, the order is private key first, then the server (leaf) certificate, then the intermediate certificate(s):
cat privkey.key server.crt intermediate.pem > /etc/postfix/rsachain.pem
If the order is wrong, Postfix will fail to load the chain. Do not include the root CA certificate; clients already trust it.

Should I use “may” or “encrypt” for smtpd_tls_security_level?

Use may (opportunistic TLS) for inbound mail on port 25. A public MX must accept mail from senders that don’t support TLS, and encrypt would reject them, causing lost email. Reserve encrypt (mandatory TLS) for the authenticated submission service on port 587, where only your own users connect.

Do I need to restart Postfix or reload it?

A reload is enough for certificate and TLS changes; run sudo systemctl reload postfix (or sudo postfix reload). Reloading re-reads the configuration without dropping active connections. Run sudo postfix check first to catch syntax errors before they take effect.

How do I check that Postfix is serving the certificate?

Connect with OpenSSL and read the certificate Postfix presents over STARTTLS:
openssl s_client -starttls smtp -connect yourdomain.com:25 -servername yourdomain.com </dev/null \ | openssl x509 -noout -issuer -subject -dates
This prints the certificate’s subject, issuer, and validity dates. You can also run a full scan with our SSL tools to confirm the chain is complete.

Bottom line

Installing an SSL certificate on Postfix comes down to assembling a full-chain PEM file, pointing main.cf at it with smtpd_tls_chain_files (or the legacy smtpd_tls_cert_file / smtpd_tls_key_file pair), setting smtpd_tls_security_level = may for inbound mail, hardening the submission service on port 587, checking the config with sudo postfix check, and reloading Postfix.

Need a certificate first? Browse our SSL certificates.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now

Written by Denis Graur

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.