This is an expansive question. Lots of moving parts.
I had to research:
“pfsense cloudflare certificate dns api” - this allowed me to setup the cert process in pfsense
“haproxy reverse proxy pfsense” for a tutorial. HAPROXY is a thing on its own…
I’ll try to help you a bit… but I might miss something but this should get you moving with other crossreferencing…
You need a FQDN. Use cloudflare to manage your domains, its nicee.
You’ll need a certificate for the email server itself, set it to auto renew. The iredmail tutorial on linuxbabe should do that.
Use the pfsense built in cert manager and make a cert for the email server/vm, this will be applied below. THIS is a big process. The best way is to link a cloudflare account to pfsense using an API key. This creates a DNS challege each time you want to make a cert, and it will save you time and energy in the future.
Use the HAPROXY package in pfsense to make a “reverse proxy” for port 443 to connect your FQDN to the email server. Apply the cert you made w cert manager to the “frontend”. You’ll have to make a proper backed, etc. Find that tutorial I mentioned at the beginning.
You should be able to reach your email server by is FQDN in a browser. If you can, proceed. If not, research, research, research.
You have to forward ports to the server proper from pfsense by selecting on the pfsense menu: Firewall>NAT.
Below are the ports to forward. Close up the ones you’re not using AFTER everything works.
If your ISP closed off port 25, youll need mailgun, that’s another tutorial…
|Interface|Protocol|Source Address|Source Ports|Dest. Address|Dest. Ports|NAT IP|NAT Ports|
|WAN |TCP |* |* |* |25 (SMTP) |your server ip|25 (SMTP) |
|WAN |TCP |* |* |* |110 (POP3) |your server ip|110 (POP3) |
|WAN |TCP |* |* |* |143 (IMAP) |your server ip|143 (IMAP) |
|WAN |TCP |* |* |* |465 (SMTP/S) |your server ip|465 (SMTP/S) |
|WAN |TCP |* |* |* |587 (SUBMISSION) |your server ip|587 (SUBMISSION) |
|WAN |TCP |* |* |* |993 (IMAP/S) |your server ip|993 (IMAP/S) |
|WAN |TCP |* |* |* |995 (POP3/S) |your server ip|995 (POP3/S) |
I can answer a few rounds of questions IF you can get the heavy lifting done, like having your domains managed at cloudflare and connecting the API to pfsense. That’s probably the hardest part. The rest is patience, persistence, and plenty of time.