HomeLinuxDebainInstalling Let’s Encrypt Free...

Installing Let’s Encrypt Free SSL Certificate on iRedMail

In our previous guides, we saw how one can install and configure iRedMail Server. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.

When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.

In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.

Step 1: Obtain Let’s Encrypt Certificate

Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.

# Install certbot on Ubuntu /Debian
sudo apt update && sudo apt install certbot

# Install certbot on CentOS / Rocky
sudo yum -y install epel-release
sudo yum -y install certbot

After installing certbot-auto tool, save the email address and the domain for iRedMail server.

Stop Nginx service.

sudo systemctl stop nginx

The obtain a free Let’s Encrypt certificate for iRedMail mail server.

certbot certonly --standalone -d mail.haceganteknoloji.xyz --preferred-challenges http --agree-tos -n -m postmaster@haceganteknoloji.xyz –keep-until-expiring

The standard successful message for Let’s Encrypt outputs path to your certificates.

Installing the Certificate in Nginx

After obtaining a TLS certificate, let’s configure Nginx web server to use it. Edit the SSL template file.

sudo nano /etc/nginx/templates/ssl.tmpl

Find the following 2 lines.

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Replace them with:

ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem;

Save and close the file. Then test nginx configuration and reload.

sudo nginx -t
sudo systemctl reload nginx

Visit iRedMail admin panel again (https://mail.example.com/iredadmin/), your web browser won’t warn you any more because Nginx is now using a valid TLS certificate.

Installing TLS Certificate in Postfix and Dovecot

We also need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning. Edit the main configuration file of Postfix.

sudo nano /etc/postfix/main.cf

Find the following 3 lines. (line 95, 96, 97).

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

Replace them with:

smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.example.com/chain.pem

Save and close the file. Then reload Postfix.

sudo systemctl reload postfix

Next, edit the main configuration file of Dovecot.

sudo nano /etc/dovecot/dovecot.conf

Fine the following 2 lines. (line 47, 48)

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

Replace them with:

ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem

Save and close the file. Then reload dovecot.

sudo systemctl reload dovecot

Set Certificate Automatic renewal

Create a cron job to automatically renew Let’s Encrypt certificates:

$ sudo crontab -e
# Renew Let's Encrypt certs
15 3 * * * /usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.

- A word from our sponsors -

spot_img

Most Popular

More from Author

How To Install aaPanel on Ubuntu Ubuntu 22.04.5 LTS

Managing a server can be a daunting task, especially for those...

How To Install Fail2Ban on Ubuntu 24.04.2 LTS

Introduction Any service that is exposed to the Internet is at risk...

How to Install Webmin on Debian 12

Introduction Are you searching for a step-by-step guide to install Webmin on...

How To Install ISPConfig Control Panel on Ubuntu 22.04

The main task of a Linux system administrator revolves around monitoring...

- A word from our sponsors -

spot_img

Read Now

How To Install aaPanel on Ubuntu Ubuntu 22.04.5 LTS

Managing a server can be a daunting task, especially for those who are not well-versed in command-line interfaces. Fortunately, control panels like aaPanel simplify this process significantly. This article provides a comprehensive guide on how to install aaPanel on Ubuntu 24.04 LTS, ensuring you have a powerful...

How To Install Fail2Ban on Ubuntu 24.04.2 LTS

Introduction Any service that is exposed to the Internet is at risk of malware attacks. For example, if you are running a service on a publicly available network, attackers can use brute-force attempts to sign in to your account. Fail2ban is a tool that helps protect your Linux machine...

How to Install Webmin on Debian 12

Introduction Are you searching for a step-by-step guide to install Webmin on Debian 12? This simple tutorial is for you! Webmin is a free, open-source web-based control panel that simplifies Linux server management right from your browser. Its intuitive dashboard lets you handle various configurations, including user accounts, disk...

How To Install ISPConfig Control Panel on Ubuntu 22.04

The main task of a Linux system administrator revolves around monitoring the Linux system hardware and software, performing installations and upgrades while maintaining all the essential services and applications. In many scenarios, these activities are executed via the command line. This is mainly because the command line(server...

APT sources.list entries for every Debian release

/etc/apt/sources.list entries for every Debian release since Wheezy, including archived releases Debian uses APT as package installation and update manager. This also applies to a distribution (release) upgrade. Usually not much changes in the APT configuration, except the code name. But sometimes, the /etc/apt/sources.list file needs some adjustments...

Debian / Ubuntu Linux restart network interface

In this article, we will see How to restart Network Interface in Debian and Ubuntu. We can restart the networking service in Linux using various command. Use the following commands as per your Linux distribution to restart the networking service. You must run the command as root...

Install iRedMail on Debian 12

What is iRedMail? iRedMail is a shell script that automatically installs and configures all necessary mail server components on your Linux/BSD server, thus eliminating manual installation and configuration. With iRedMail, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Mailboxes can be...

VirtualBox : Advanced Features and Practical Use

When using a traditional you need to install the operating system on a physical machine for evaluating software that cannot be installed on your current operating system. Oracle VirtualBox is what you need in this case, instead of reinstalling software on your physical machine. VirtualBox is designed...

Configuring a Static IP address on your Ubuntu (24.04, 24.10+) Server

To configure a static IP address on Ubuntu Server 24.10, follow these simple steps. Step 1 : Update and Install net-tools First, update your server and install the net-tools package, which includes essential networking utilities like ifconfig. sudo apt update sudo apt install net-tools Step 2 : Check Ethernet Interfaces Use the ifconfig...

Parrot virtualbox install and erorrs kernel

Option 1: Blacklist Many distros use a module blacklist to disallow module loading. Normally this can be done by adding these lines to your distro's modules.conf or similar. You might try reading man modules.conf or googling for directions for your specific distribution. blacklist kvm_intel blacklist kvm Option 2: Unload An alternative is...