iRedMail
// Document IndexAttention
Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.
iRedMail generates a self-signed SSL certificate during installation, it's
fine if you just want to secure the network connections (POP3/IMAP/SMTP over
TLS, HTTPS), but mail clients or web browsers will promot a annoying message
to warn you this self-signed certificate is not trusted. To avoid this
annoying message, you have to buy a SSL certificate from SSL certificate
provider. Search buy ssl certificate in Google will give you many SSL
providers, choose the one you prefer.
We have another tutorial to show you to request a free cert from Let's Encrypt: Request a free cert from Let's Encrypt.
To buy ssl cert from a trusted vendor, you need to generate a new SSL
key and signing request file on your server with openssl command:
Warning
Do NOT use key length smaller than 2048 bit, it's insecure.
# openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out server.csr
This command will generate two files:
privkey.pem: the private key for the decryption of your SSL certificate.server.csr: the certificate signing request (CSR) file used to apply
for your SSL certificate. This file is required by SSL certificate
provider.The openssl command will prompt for the following X.509 attributes of the certificate:
Country Name (2 letter code): Use the two-letter code without punctuation
for country. for example: US, CA, CN.State or Province Name (full name): Spell out the state completely; do not
abbreviate the state or province name, for example: California.Locality Name (eg, city): City or town name, for example: Berkeley.Organization Name (eg, company): Your company name.Organizational Unit Name (eg, section): The name of the department or
organization unit making the request.Common Name (e.g. server FQDN or YOUR name): server FQDN or your name.Email Address []: your full email address.A challenge password []: type a password for this ssl certificate.An optional company name []: an optional company name.NOTE: Some certificates can only be used on web servers using the Common Name
specified during enrollment. For example, a certificate for the domain
domain.com will receive a warning if accessing a site named www.domain.com
or secure.domain.com, because www.domain.com and secure.domain.com are
different from domain.com.
Now you have two files: privkey.pem and server.csr. Go to the website of
your preferred SSL privider, it will ask you to upload server.csr file to
issue an SSL certificate.
Usually, SSL provider will give you 2 files:
cert.pemfullchain.pem (some SSL providers use name server.ca-bundle)We need above 2 files, and privkey.pem. Upload them to your server, you can
store them in any directory you like, recommended directories are:
cert.pem and fullchain.pem should be placed under
/etc/pki/tls/certs/, privkey.pem should be /etc/pki/tls/private/.cert.pem and fullchain.pem should be
placed under /etc/ssl/certs/, privkey.pem should be /etc/ssl/private/./etc/ssl/.The easiest and quickest way to use the bought cert is replacing the self-signed SSL cert generated by iRedMail installer, then restart services which use the cert files.
Warning
If you deployed iRedMail with the iRedMail Easy platform, ssl cert files
are stored under /opt/iredmail/ssl/:
key.pem: private keycert.pem: certificatecombined.pem: full chainmv /etc/pki/tls/certs/iRedMail.crt{,.bak} # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/pki/tls/private/iRedMail.key{,.bak} # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/pki/tls/certs/iRedMail.crt
cp privkey.pem /etc/pki/tls/private/iRedMail.key
mv /etc/ssl/certs/iRedMail.crt{,.bak} # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key{,.bak} # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/ssl/certs/iRedMail.crt
cp privkey.pem /etc/ssl/private/iRedMail.key
Required services:
Depends on the backend you chose during iRedMail installation, you may need to restart: