Time to apply some proper certificates via good ‘ol StartSSL. After validating the domain via email, I need an SSL/TLS certificate. I generate my own signing request:
# cd /etc/ssl/ # openssl req -new -newkey rsa:2048 -nodes -keyout outofadjectives.org.key -out outofadjectives.org.csr
Just copy/paste the CSR and finish up the StartSSL wizard and copy/paste the resulting key into a .crt file. It corresponds with the previously generated .key.
The nginx instructions are the most straightforward. The unified certificate format makes configuration for everything else simpler since there are no chain files to deal with. The password step might not be necessary depending whether you used a password with the CSR.
To use the certificate in Dovecot, edit /etc/dovecot/conf.d/10-ssl.conf so ssl_cert points at the unified certificate file and ssl_key points at the .key file. Then restart the service.
For Postfix, edit /etc/postfix/main.cf so that smtpd_tls_cert_file and smtp_tls_cert_file both point at the unified certificate file and smtpd_tls_key_file and smtp_tls_key_file both point at the .key file. The “smtp_” settings may not exist by default. Again, restart the service.