simonh.uk - mail

Fastmail Business Email Review 2025

2025-01-06T00:00:00+00:00

Hello again, Fastmail

I had a free, personal Fastmail account before everyone lost their minds that googlemail is coming out!!! back in about about 2004(ish). I seem to remember using it quite happily until the gmail thing. At that time Google could do no wrong and I went with the horde and got my very own googlemail account and left stupid Fastmail behind. What had I been thinking?!

Fast Forward to 2017

I’d just started my own business and needed a professional email account. Now, I honestly can’t remember my reasoning, but I signed up for G Suite, now Google Workspace. It did the job acceptably, but at some point between 2017 and 2022, I became uncomfortable with using it.¹ I next tried Rackspace business email for a few months as it seemed to get recommended quite often, but I didn’t really get along with that either. I then decided to give Fastmail a go (again). One of the reasons was that Fastmail is entirely focused on email² and has been since 1999. The old do one thing and do it well adage has always resonated with me.

Rather than listen to me waffle on, you can read about what they offer for business on their Fastmail for Business page.

(Try to) Ignore the Silly Marketing

If today, you go to the Fastmail Product Tour page, you will see five photos of incredibly happy Fastmail customers (I assume). Here is the happiest lady of the bunch:

She can’t believe that she’s only just discovered Fastmail. Happiest day of her life, clearly!

Man, I hate that stock photo, everybody smiling nonsense. Fastmail: have a rethink on your marketing people / strategy. Your potential customers are not five years old!

We don’t even know if she’s on the Fastmail app. She might be watching cat videos!

Rackspace’s photo is far better. Definitely reading a business email and not watching silly videos:

Anyway…

I’ve been using Fastmail business for nearly a year and a half. It works very well, both through the web interface and their Android app (don’t use istuff so no comments about that). One thing that I think sets them apart from their competition is their excellent help. They’ve even given it it’s own domain: fastmail.help.

Functionality wise, you’ll get all the email features everyone expect nowadays, with the one possible exception of the ability to edit office files. One could argue that is not the job of an email client, and one would have a point. Still, if you need that, you’ll be disappointed.

I should point out a couple of problems I’ve experienced. First, on all my other email accounts (I have a lot), notifications on my Android phone come through normally. For some reason, Fastmail notifies me about emails I’ve already read or deleted on my desktop. It’s not a showstopper, but it’s a bit weird. I suppose I should open a ticket. The only other odd thing I’ve come across is (and this has only happened a few times), sometimes the web interface hangs on loading. I don’t recall seeing a message, just the loading page icon, similar to this:

But, as I said, it only happens once in a while, very rare, so please don’t let that put you off. I’m just mentioning it as I’ve seen it.

What’s Good?

Does everything an email client needs to do
Includes contacts, file storage, notes, calendar
Integrates with other services / platforms³
Excellent help system
It is fast, as advertised

What’s Not Good?

Weird sync issues on Android phone
No support for viewing / editing office files

Conclusion

If you’re looking to create a new business email account, or to migrate from another provider, I think you’ll be happy with Fastmail. They’ve been doing email for twenty five years and it shows.

Footnotes

¹ Oh yes, they dropped their famous motto, that could have been it!

² Fastmail are the primary maintainer of Cyrus IMAP.

³ I only use the Dropbox integration. Works well.

Using OpenSMTPD as a Personal Relay

2022-06-26T00:00:00+01:00

So, you’ve got at least one server and you’ve installed and configured opensmtpd so you can send emails. But, you’re still using a third party email provider from your home computer. That didn’t seem right to me, so I’ve eventually figured out how to use one of my servers to route mail from home (or laptop) to its destination.

Benefits

1. Using what you already have. You’ve got an email server. Might as well use it as a relay!
2. Speed. Routing mail through your own server will be far quicker than using someone elses.

Below should be self explanatory. You need to edit four files, two on your server, two on your local machine.

Swap out example.com for your server domain, obviously.

###########################
#  Server: /etc/smtpd.conf
###########################

# $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

pki example.com key "/etc/letsencrypt/live/example.com/privkey.pem"
pki example.com cert "/etc/letsencrypt/live/example.com/fullchain.pem"

# Filters taken from prefetch.eu
filter   "rdns" phase connect match   !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
'.*\.dsl\..*' } \ disconnect "550 no residential connections"

action "local" maildir alias <aliases>
action "relay" relay

listen on localhost
listen on eth0 tls pki example.com \
filter { "rdns", "fcrdns", "check_dyndns" } \

listen on eth0 port 465 smtps pki example.com auth <secrets>
listen on eth0 port 587 tls-require pki example.com auth <secrets>

match for local action "local"
match from local for any action "relay"
match from any for domain "example.com" action "local"

match from auth for any action "relay"

############################
# Server: /etc/mail/secrets
############################

simon@server:~$ cat /etc/mail/secrets 
home@example.com <password hash created using 'smtpctl encrypt' command>

#########################
# Local: /etc/smtpd.conf
#########################

# $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

listen on localhost

action "local" maildir alias <aliases>

action "simonh" relay host smtp+tls://simonh@example.com:587 \
auth <secrets> mail-from "home@example.com"

match for local action "local"
match for any action "simonh"

###########################
# Local: /etc/mail/secrets
###########################

root@computer:/etc# cat mail/secrets 
simonh home@example.com:plain_password_here

The key things to pay attention to are (on the server):

table secrets file:/etc/mail/secrets

listen on eth0 port 587 tls-require pki example.com auth <secrets>

match from auth for any action "relay"

And on your local machine:

action "simonh" relay host smtp+tls://simonh@example.com:587 \

match for any action "simonh"

/etc/mail/secrets

simonh home@example.com:plain_password_here

The password needs to be plain text as it is sent over TLS to be checked by the remote mail server.

From what I can gather, the simonh label in /etc/mail/secrets will send the username and password matching that label from your secrets file to the action block. That had me stumped for a while…

As a side note, you can avoid the auth stuff entirely if you’ve got a static ip address. This is what I’d been using for the last few weeks until I got the authenticated method sorted out:

match from src your.home.ip.address for any action "relay"

Using Alpine Email Client For Applying Patches

2021-12-17T00:00:00+00:00

Alpine Mail Client

Lately, I’ve been using Alpine for emails on my servers. It’s a great command line, curses based, mail client. This post is a quick howto for using Alpine for patching Python (or any) code on a production server.

Let’s get started…

# apt install alpine

I like to alias alpine to pine in my .bashrc

The default screen when you launch Alpine is this:

Like many people, I prefer to see my inbox when I open my mail client. This is easily achieved by typing S C from the main menu. Then, page down until you see “Initial Keystroke List”

Type C to change the value to i for inbox then e to exit setup and y to confirm this change. From now on, when you type pine or alpine you’ll be straight in your inbox. If you want to go the menu, it’s simply an m keystroke away.

Here is my inbox:

As you can see, I’ve mailed myself 4 patches from my home computer which I’ll be applying on the production server.

Highlight message 6, and then type the pipe character |. Alpine now wants a command which you can see near the bottom.

Press Enter and see what happens.

As you can see, Patch has not been able to apply the patch as I have a deliberate error. I was not in the correct directory where the code is. So what I do is make sure I’m in the correct directory before I launch Alpine. Once you’ve done that, all should be good. I’d advise you to use the --dry-run option to patch to check for errors, before actually applying the patch or patch series!

Mercurial Patchbomb

For the above to work, you need to enable the Patchbomb extension. It’s included with Mercurial so you just need to enable it. In your ~/.hgrc add the extension as below:

[extensions]
# uncomment these lines to enable some popular extensions
# (see 'hg help extensions' for more info)
#
patchbomb =

And finally, in your Mercurial repository .hg/hgrc add the following. This will send your patches silently to your server. If you don’t do this, you’ll have to specify a recipient and whether you want to CC anyone.

simon@computer:~/code/project$ cat .hg/hgrc
[email]
to = you@server.com
cc =

So now, you can simply run

simon@computer:~/code/project$ hg email -r tip

Patchbomb will inform you what it’s sending:

simon@computer:~/code/project$ hg email -r tip
this patch series consists of 1 patches.


sending [PATCH] revert tacit css to unmodified version ...
simon@computer:~/code/project$

If you want or need to send multiple patches, you can do that like so:

simon@computer:~/code/project$ hg email -r 130:-r tip

You’ll be given the opportunity to provide some details for the patch series which appear in [Patch 0 of 7]

And it’s as simple as that!

Get DKIM Working with OpenSMTPD

2021-06-23T00:00:00+01:00

As of Debian 12, dkim support for OpenSMTPD is included in Debian:

simon@server:~ [ssh] $ cat /etc/debian_version 
12.8
simon@server:~ [ssh] $ apt show opensmtpd-filter-dkimsign
Package: opensmtpd-filter-dkimsign
Version: 0.5-2
Priority: optional
Section: mail
Maintainer: Ryan Kavanagh <rak@debian.org>
Installed-Size: 63.5 kB
Depends: adduser, libc6 (>= 2.34), libopensmtpd0 (>= 0.7), libssl3 (>= 3.0.0)
Suggests: openssl
Homepage: http://imperialat.at/dev/filter-dkimsign/
Download-Size: 18.2 kB
APT-Sources: http://deb.debian.org/debian bookworm/main amd64 Packages
Description: opensmtpd filter that signs email with a dkim signature
 This OpenSMTPD filter signs emails with a DKIM signature. It supports
 the rsa and ed25519 signing algorithms.

There’s no man page but instructions are available here. Note that this is the same link as the credit to Ryan @ Debian below.

So, you should be able to go straight to Create Group and User on this page. I’ve added this update as this post gets quite a few views. Original post continues below.

I love opensmtpd. But as I’ve never set up a mail server before, some things are hard. DKIM was one of them. Below is what I now use on four servers and all work perfectly:

Credits

Ryan Kavanagh @ Debian

Martijn van Duren @ OpenBSD

README

This is a guide to using filter-dkimsign on Debian 10. It took a bit of effort to get it working and the following is as much for my reference as anyone else’s.

This is for an outgoing only mail server

Install the requirements

root@server:/home/simon/src# apt install libevent-dev libssl-dev mandoc

Grab the files from here:

root@server:/home/simon/src# wget https://simonh.uk/files/src/libopensmtpd-0.7.tar.gz
bc. root@server:/home/simon/src# wget https://simonh.uk/files/src/filter-dkimsign-0.5.tar.gz

Extract both packages using tar xvf <each_file>

cd into libopensmtpd first and run

root@server:/home/simon/src/libopensmtpd-0.7# make -f Makefile.gnu

You should get no errors.

root@server:/home/simon/src/libopensmtpd-0.7# make -f Makefile.gnu install

Now, cd into ../filter-dkimsign-0.5 and run the two make commands as above.

Create Group and User

Next, we’ll create the group and user _dkimsign

root@server:~# addgroup _dkimsign --force-badname 
Allowing use of questionable username.
Adding group `_dkimsign' (GID 1001) ...
Done.

Now add the _dkimsign user to that group

root@server:~# useradd _dkimsign -g _dkimsign

Create the directory to save your private key with the correct permissions:

root@server:~# install -d -m 770 -o _dkimsign -g _dkimsign /etc/mail/dkim

Log out as the root user with exit and run:

simon@server:~/src [ssh] $ sudo -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 1024

That has generated and saved our private key. Run below to get the public key that we’ll save in our DNS records:

simon@server:~/src [ssh] $ sudo openssl rsa -in /etc/mail/dkim/private.rsa.key -pubout |     sed '1s/.*/v=DKIM1;p=/;:nl;${s/-----.*//;q;};N;s/\n//g;b nl;'
writing RSA key
v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoaV4xJ1D4AeJ6XWU9ilt83yUnRUthPMh2R7qeMZEEHKQ+sWFiiiM5z4kpxwTsQNIvzMO2h8seh9XJIAPzVER8ac9AeCueXIAg/MwHWoZvIrBYJSeFmq6sgCacgKwayI9xp7QcqWmYGXiaBQnI21/SieA4GZsk/UTOiko7UFlE6wIDAQAB

Copy the long line beneath “writing RSA key”, like so:

v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoaV4xJ1D4AeJ6XWU9ilt83yUnRUthPMh2R7qeMZEEHKQ+sWFiiiM5z4kpxwTsQNIvzMO2h8seh9XJIAPzVER8ac9AeCueXIAg/MwHWoZvIrBYJSeFmq6sgCacgKwayI9xp7QcqWmYGXiaBQnI21/SieA4GZsk/UTOiko7UFlE6wIDAQAB

You need to save that in your DNS record section at you domain registrar as a TXT record.

Following (seemingly) popular advice, I use today’s date 20210622._domainkey. The part before the . (dot) is called the selector. We’ll come back to that in a minute.

Next, we’ll add the filter to our /etc/smtpd.conf making sure to replace -d yourdomain.com and -s 20210622 with your domain and your selector!



filter dkimsign proc-exec "filter-dkimsign -d yourdomain.com -s 20210622 -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign

listen on socket filter "dkimsign"
listen on localhost filter "dkimsign"

Do a quick check that we have no syntax errors:

root@server:/home/simon/src# smtpd -n
configuration OK

Nearly there now! We’ll restart and check that opensmtpd has no errors:

root@server:/home/simon/src# systemctl restart opensmtpd
root@server:/home/simon/src# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
   Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset
   Active: active (running) since Wed 2021-06-23 15:11:43 BST; 5s ago
     Docs: man:smtpd(8)
  Process: 10351 ExecStart=/usr/sbin/smtpd (code=exited, status=0/SUCCESS)
 Main PID: 10352 (smtpd)
    Tasks: 9 (limit: 1148)
   Memory: 10.0M
   CGroup: /system.slice/opensmtpd.service
           ├─10352 /usr/sbin/smtpd
           ├─10353 smtpd: klondike
           ├─10354 smtpd: control
           ├─10355 smtpd: lookup
           ├─10356 smtpd: pony express
           ├─10357 smtpd: queue
           ├─10358 smtpd: scheduler
           ├─10359 /usr/sbin/smtpd
           └─10361 /usr/libexec/opensmtpd/filter-dkimsign -d yourdomain.com -s 20210622 

Jun 23 15:11:43 server systemd[1]: Starting OpenSMTPD SMTP server...
Jun 23 15:11:43 server smtpd[10351]: info: OpenSMTPD 6.6.4p1 starting
Jun 23 15:11:43 server systemd[1]: Started OpenSMTPD SMTP server.

You can see in the last line, that filter-dkimsign is running

Finally, we’ll send an email to a gmail account and check that DKIM is a “PASS”

root@server:/home/simon# echo uptime | mail somebody@gmail.com

Check your gmail account by clicking on the three dots next to reply and click “Show original”. If all went well, you’ll see DKIM at the bottom and “PASS with domain” next to it:

Following these instructions, you should be DKIM friendly in about ten or fifteen minutes!

Any issues feel free to send me an email, or sign up for the opensmtpd mailing list here (subscribe to the misc one).

Updates

2025-01-05: Mention that dkim is now included in Debian 12.

Get an Email When Your Server Needs Updating

2021-05-01T00:00:00+01:00

I’ve got four servers right now, and was wondering if someone had written a program to email the system adminstrator if there are any updates needed. Yep: apticron

Obviously, you need to be using Debian, or a derivative.

$ sudo -s
# apt install apticron
# cp /usr/lib/apticron/apticron.conf /etc/apticron
# vim /etc/apticron/apticron.conf

And then add your email as below, found near the top of the file:

EMAIL=“you@yourdomain.com”

From now on, you’ll get an email whenever apticron finds updates that you haven’t yet installed. Below is the email that I got for one of my machines (my details hidden):

Subject: 2 Debian package update(s) for yourdomain.com

apticron report [Fri, 30 Apr 2021 17:42:05 +0100]
========================================================================

apticron has detected that some packages need upgrading on:

	yourdomain.com
	[ your server ip address ]

The following packages are currently pending an upgrade:

	linux-image-4.19.0-16-cloud-amd64 4.19.181-1
	linux-image-cloud-amd64 4.19+105+deb10u11

========================================================================

Package Details:

apt-listchanges: Reading changelogs...
apt-listchanges: Changelogs
---------------------------

--- Changes for linux-latest (linux-image-cloud-amd64) ---
linux-latest (105+deb10u11) buster; urgency=medium

  * Update to 4.19.0-16

 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 19 Mar 2021 22:38:58 +0100

linux-latest (105+deb10u10) buster; urgency=medium

  * Update to 4.19.0-15

 -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 06 Mar 2021 08:37:46 +0100

linux-latest (105+deb10u9) buster-security; urgency=high

  * Update to 4.19.0-14

 -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 30 Jan 2021 08:43:43 +0100

linux-latest (105+deb10u8) buster; urgency=medium

  * Update to 4.19.0-13

 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 27 Nov 2020 19:01:04 +0100

linux-latest (105+deb10u7) buster-security; urgency=high

  * Update to 4.19.0-12

 -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 18 Oct 2020 14:43:57 +0200

linux-latest (105+deb10u6) buster; urgency=medium

  * Update to 4.19.0-11

 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 18 Sep 2020 20:48:30 +0200

linux-latest (105+deb10u5) buster; urgency=medium

  * Update to 4.19.0-10

 -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 09 Jul 2020 21:58:28 +0200

linux-latest (105+deb10u4) buster; urgency=medium

  * Update to 4.19.0-9

 -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 29 Apr 2020 16:16:38 +0200

linux-latest (105+deb10u3) buster; urgency=medium

  * Update to 4.19.0-8

 -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 31 Jan 2020 06:24:52 +0100

linux-latest (105+deb10u2) buster; urgency=medium

  * Update to 4.19.0-7

 -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 29 Dec 2019 22:39:49 +0100

linux-latest (105+deb10u1) buster; urgency=medium

  * Update to 4.19.0-6

 -- Ben Hutchings <ben@decadent.org.uk>  Mon, 26 Aug 2019 02:16:02 +0100

========================================================================

You can perform the upgrade by issuing the command:

	apt-get dist-upgrade

as root on yourdomain.com

--
apticron

How awesome is that!

Mailutils - Tips and Tricks

2021-04-19T00:00:00+01:00

First things first: install mailutils and mailutils-doc

TBC…

From Inbox Zero to Ten Thousand Unsorted Emails

2021-04-18T00:00:00+01:00

Inbox Zero, Always.

I’ve been hitting inbox zero on all my mail accounts for about three years now. All incoming mail gets either:

Deleted
Put into a folder
Left in the inbox if action is required — and then put into a folder

The same rules goes when I work as an employee. I get everything set up and mail is processed as it comes in. Today, I decided to backup my main gmail account with a view to ditching it one day, and also because backups are good!

I now have an backup email account with ~10100 emails. All there as one big list. The plan being (until I automate it) to forward emails each day / week to my backup account.

That’s another task I was procrastinating about: done.

OpenSMTPD for Outgoing Mail Only

2021-04-16T00:00:00+01:00

Why?

You’ve got a server and sometimes you need to send outgoing emails. Like me, you may have messed around using someone elses SMTP server. Maybe, you’ve had a go at setting up Postfix or Exim?

It’s a lot of hard work, isn’t it?

Well, I couldn’t be arsed with all that, and eventually came across the awesome opensmtpd.

If you’re on Debian 10 (Buster), make sure you’ve enabled Debian Backports in your sources.list and run:

sudo apt-get install opensmtpd/buster-backports

You need to install from backports because the configuration syntax changed. The standard buster package will give you version 6.0.3, but we want at least 6.6

Run # smtpd -h to check:

root@server:/home/simon# smtpd -h
version: OpenSMTPD 6.6.4p1
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]

Below is the defaut config file “/etc/smtpd.conf”

OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
table aliases file:/etc/aliases
# To accept external mail, replace with: listen on all
#
listen on localhost
action "local" maildir alias <aliases>
action "relay" relay
# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local"
match for local action "local"
match from local for any action "relay"

For outgoing mail only, we don’t need to touch this at all!

DNS Records

We need to tell our domain registrar that we’re handling our mail now.

First, we’ll set an A record with the IP address of our server and a hostname of mail I threw in smtp as well.

Next we’ll set our MX records. The 10 in the screenshot below is the priority. I usually see this as 10 so that’s what I’ve been using.

Now we’ll set our SPF (Sender Policy Framework). As long as we’ve set our A and MX records, we can just put this as a TXT record:

v=spf1 a mx -all

If you want to know more, here is a good article on the topic: mailtrap blog

Reverse DNS

Cloudflare explanation of a PTR record

The Domain Name System, or DNS, correlates domain names with IP addresses. A DNS pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of the ‘A’ record, which provides the IP address associated with a domain name.
DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name.

So, lastly, you need to set the reverse DNS or PTR record for you IP on your VPS settings page.

You’ll (usually) find this in your IP settings. All you need to do is put set RDNS or reverse DNS to your hostname. For this site, that’d be

simonh.uk

Let’s check opensmtpd is running correctly:

simon@server:~ [ssh] $ systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
   Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset
   Active: active (running) since Fri 2021-06-11 07:47:36 BST; 3 days ago
     Docs: man:smtpd(8)
  Process: 28100 ExecStart=/usr/sbin/smtpd (code=exited, status=0/SUCCESS)
 Main PID: 28101 (smtpd)
    Tasks: 7 (limit: 1166)
   Memory: 11.8M
   CGroup: /system.slice/opensmtpd.service
           ├─28101 /usr/sbin/smtpd
           ├─28102 smtpd: klondike
           ├─28103 smtpd: control
           ├─28104 smtpd: lookup
           ├─28105 smtpd: pony express
           ├─28106 smtpd: queue
           └─28107 smtpd: scheduler

Send a test email:

simon@server:~ [ssh] $ echo "hello!" | mail -s 'hi from server!' web@simonh.uk

And in my email client (Claws Mail):

So, all went well.

Closing Notes

Ideally, we’d also set up DKIM, which along with SPF helps to improve the chances of your emails not being labelled as spam. But in my case, it wasn’t worth the trouble (and I did have trouble).

As I’m only sending mail to accounts I control, I can also label them as “NOT SPAM” if they get the dreaded [SPAM] header.

PKI Encryption (Added 2021-06-15)

Assuming you’re using Apache 2.4 as your web server:

$ sudo apt install certbot python3-certbot-apache
$ sudo certbot certonly -d yourdomain.com --apache

and then in your /etc/smtpd.conf add the following lines

pki yourdomain.com key "/etc/letsencrypt/live/yourdomain.com/privkey.pem"
pki yourdomain.com cert "/etc/letsencrypt/live/yourdomain.com/fullchain.pem"

listen on eth0 port 25 tls pki yourdomain.com

Then run

root@server:/home/simon# smtpd -n
configuration OK

Finally, restart opensmtpd, and I always check that there are no errors:

root@server:/home/simon# systemctl restart opensmtpd
root@server:/home/simon# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
   Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset
   Active: active (running) since Fri 2021-06-11 07:47:36 BST; 4 days ago
     Docs: man:smtpd(8)
  Process: 28100 ExecStart=/usr/sbin/smtpd (code=exited, status=0/SUCCESS)
 Main PID: 28101 (smtpd)
    Tasks: 7 (limit: 1166)
   Memory: 11.8M
   CGroup: /system.slice/opensmtpd.service
           ├─28101 /usr/sbin/smtpd
           ├─28102 smtpd: klondike
           ├─28103 smtpd: control
           ├─28104 smtpd: lookup
           ├─28105 smtpd: pony express
           ├─28106 smtpd: queue
           └─28107 smtpd: scheduler

The final thing to do is to connect from another machine to the server and check the output.

simon@computer:~$ openssl s_client -starttls smtp -connect yourdomain.com:25
CONNECTED(00000003)                                                                                                                                                                                                                           
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1                                                                                                                                                                       
verify return:1                                                                                                                                                                                                                               
depth=1 C = US, O = Let's Encrypt, CN = R3                                                                                                                                                                                                    
verify return:1                                                                                                                                                                                                                               
depth=0 CN = yourdomain.com
verify return:1  
---                                                        
Certificate chain                                          
 0 s:CN = yourdomain.com                                        
   i:C = US, O = Let's Encrypt, CN = R3                    
 1 s:C = US, O = Let's Encrypt, CN = R3                    
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1                                                   
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1                                                   
   i:O = Digital Signature Trust Co., CN = DST Root CA X3                                                              
---                                                        
Server certificate                                         
-----BEGIN CERTIFICATE-----                                
MIIFEjCCA/qgAwIBAgISA4O0G2Qpj6nXyJYMVicL2zLVMA0GCSqGSIb3DQEBCwUA                                                       
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD                                                       
EwJSMzAeFw0yMTA2MTUxNjQ5NDFaFw0yMTA5MTMxNjQ5NDBaMBExDzANBgNVBAMT                                                       
BmIxeC51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN6YKF+LQTPz                                                       
2FxMeho/DG5XoapUTlOcTVSGJf/P9v1ZW6qiOKMDv7y9LRXTQ7RdJWp8fd+XN0HT                                                       
j/gUNh5iOt3n7KEEa5inl47o7eE/KSKUgvwRkHc4HNmPEgdqQ2QrbvGaOFGzDj07                                                       
dA68TNmHk1r3sy1NeJWipTp4qVjyuEVOLShWVBsLl/RL/Esg8XvbSAYwq8LBems/                                                       
K4LFrJ4mZ1IVJYZZ+O6oyyCApjlWVy8fxvFNkeZz9Y5nMp7KQuLwRus/jWj/zRiK                                                       
KKmtnA0tGm/QydJy2ozGcsyr8inWd+7A7SDpe3KiquznM2nj/3xlg2swKVzBx9zr                                                       
Ymh4ibCJdbsCAwEAAaOCAkEwggI9MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU                                                       
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUj1Dv                                                       
xS3CzTjZ7bRHAf4oT/bsoqYwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsU                                                       
wsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j                                                       
ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wEQYDVR0R                                                       
BAowCIIGYjF4LnVrMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB                                                       
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYK                                                       
KwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9Mz                                                       
lrW2gagAAAF6EMsQnwAABAMARzBFAiEA0wta1rOTMW7dz8zoJKN8vnPOn9vkyePd                                                       
jZt7nzKLk9gCIGV0zwsC1slAZSI48jdTh/QqgWRvh3wBBER/uepFtyJCAHYAfT7y                                                       
+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF6EMsRKwAABAMARzBFAiAZ                                                       
SrWghf/uJDEMLg0N9K699d/0RmTr3L8uGFYp/9IBtQIhAMfeqE72W59iwARaf7jG                                                       
TmIvVKSbR3Xlls0ZhpJ2TuPoMA0GCSqGSIb3DQEBCwUAA4IBAQArgYBB2rE/PC98                                                       
TMOP/oNFRngEH0e5vVpc75r1CFy8urTbrfIW4NB7xevGK9FNQ2n7mUGmrtN1Gcra                                                       
WcRld3lzbEb/6jjbFO+X2DtAr8Xbn/MzfSCztEAW9P9iTaCjhHbqAiCsU18n13xb                                                       
f9GNkQoU+VSNOXRK6+aMWY/DAkvd0+IJ7qiZwZWFHhFlpPNO35VLSHslD+P02Fsz                                                       
BfNw0XhShOM5rBsilqQE3axr6EjTMQknTqWAj3xU/VEQj1H1VK5GonUyJzDVo7/c                                                       
X9QgI9F5nItsYFAEZLtRsctS/w8TM0JapAlfxVilgu53r1p97q4yjO94GCCB6tgL                                                       
KitlxSDz                                                   
-----END CERTIFICATE-----                                  
subject=CN = yourdomain.com                                      

issuer=C = US, O = Let's Encrypt, CN = R3

That all looks good.