Request a free cert from Let's Encrypt (for servers deployed with iRedMail Easy platform)

Attention

This tutorial is for servers deployed with iRedMail Easy platform, if you're looking for tutorial for servers deployed with downloadable iRedMail installer, plase check this one instead.

Attention

Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.

iRedMail generates a self-signed SSL certificate during installation, it's strongly recommended to use a valid ssl cert.

You can either request free cert, or buy one from ssl cert vendors. In this tutorial, we will show you how to request a free cert for host name mail.mydomain.com from Let's Encrypt, and ssl related configurations in relevant software running on iRedMail server.

Let's Encrypt supports wildcard host names, but it's not covered in this tutorial, please read its User Guide instead.

Before requesting a cert

Which host names should be supported in the SSL cert?

You must understand which host names you need to support in the SSL cert:

  1. The full hostname of your mail server.

    Server hostname is usually used as SMTP/IMAP/POP3 server address in user's mail client application like Outlook, Thunderbird.

    You can get full hostname with command hostname -f on Linux, or hostname on OpenBSD.

  2. The web host names you need to access via https.

    For example, https://mydomain.com, https://support.mydomain.com, then you need to support both mydomain.com and support.mydomain.com in ssl cert.

  3. No need to support mail domain name in SSL cert, unless it's also a web host name.

One cert for all domain names, or one cert for each domain name?

Dovecot and Nginx support reading/loading multiple ssl certs (for different host names), but old Postfix software doesn't, so we recommend to use one cert for all host names which are used by SMTP and IMAP/POP3 services.

Make sure you have correct DNS record for the host names

The way we request free Let's Encrypt cert requires correct A type DNS record for the host name, because Let's Encrypt organization needs to make sure you actually own or control the domain name.

To check the DNS record, you can use dig command like below:

dig +short -t a mail.mydomain.com

It should return the (public) IP address of your server.

Request cert

certbot certonly --webroot -w /opt/www/well_known/ -d mail.mydomain.com

If the command finished successfully, it will create and store cert files under /etc/letsencrypt/live/mail.mydomain.com/ (You may have different host name instead of mail.mydomain.com in this sample path).

Created cert files:

Directory /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ are owned by root user and group, with permission 0700 (set by certbot program) by default, it means other users can not access them -- including the daemon users used to run network services like Postfix/Dovecot/OpenLDAP/MariaDB/PostgreSQL. It's necessary to set the permission to 0755 for other applications to access them.

chmod 0755 /etc/letsencrypt/{live,archive}

Use Let's Encrypt cert

The easiest and quickest way to use Let's Encrypt cert is creating symbol links to the self-signed SSL cert generated by iRedMail Easy, then restart services which use the cert files:

Run commands below to backup old cert/key files and create symbol links of Let's Encrypt cert:

Attention

Please replace <domain> in sample commands below by the real domain name on your file system.

cd /opt/iredmail/ssl/
mv cert.pem cert.pem.bak
mv key.pem key.pem.bak
mv combined.pem combined.pem.bak
ln -s /etc/letsencrypt/live/<domain>/fullchain.pem combined.pem
ln -s /etc/letsencrypt/live/<domain>/fullchain.pem cert.pem
ln -s /etc/letsencrypt/live/<domain>/privkey.pem key.pem

Now restart Postfix / Dovecot / Nginx services to use the cert:

systemctl restart postfix dovecot nginx

Verify the cert

Renew the cert automatically

Cert can be renewed manually with command certbot renew, or run same command in a daily or weekly cron job to renew it automatically. Only those certs which expires in less than 30 days will be renewed. Applications use ssl cert must be restarted (or reloaded) to load renewed cert files.

If cert was renewed, private key /etc/letsencrypt/live/<domain>/privkey.pem is re-created and linked to file under /etc/letsencrypt/archive/<domain>/privkey<X>.pem (<X> is a digit number), but all files linked to /etc/letsencrypt/live/<domain>/privkey.pem were left to the old one, so we must update all files linked to /etc/letsencrypt/live/<domain>/privkey.pem after renewed.

Here's a sample cron job that runs at 3:01AM everyday, it prints current cert info, then tries to renew the cert, and restart postfix/nginx/dovecot services if successfully renewed:

Attention

Replace <domain> by the real domain name.

1 3 * * * certbot certificates; certbot renew --post-hook 'ln -sf /etc/letsencrypt/live/<domain>/privkey.pem /opt/iredmail/ssl/key.pem; /usr/sbin/systemctl restart postfix dovecot nginx'

Cert configuration in different applications

Postfix

File /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Dovecot

File /etc/dovecot/dovecot.conf:

ssl = required
ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key
ssl_ca = </etc/ssl/certs/iRedMail.crt

Nginx

File /etc/nginx/templates/ssl.tmpl:

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

MySQL, MariaDB

If MySQL/MariaDB is listening on localhost and not accessible from external network, this is OPTIONAL.

[mysqld]

ssl-ca = /etc/ssl/certs/iRedMail.crt
ssl-cert = /etc/ssl/certs/iRedMail.crt
ssl-key = /etc/ssl/private/iRedMail.key

OpenLDAP

If OpenLDAP is listening on localhost and not accessible from external network, this is OPTIONAL.

TLSCACertificateFile /etc/ssl/certs/iRedMail.crt
TLSCertificateKeyFile /etc/ssl/private/iRedMail.key
TLSCertificateFile /etc/ssl/certs/iRedMail.crt

References

See Also

Request a free cert from Let's Encrypt (for servers deployed with downloadable iRedMail installer)