In our previous guides, we saw how one can install and configure iRedMail Server. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.
When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.
In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.
Step 1: Obtain Let’s Encrypt Certificate
Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.
# Install certbot on Ubuntu /Debiansudo apt update && sudo apt install certbot# Install certbot on CentOS / Rockysudo yum -y install epel-releasesudo yum -y install certbot
After installing certbot-auto tool, save the email address and the domain for iRedMail server.
Stop Nginx service.
sudo systemctl stop nginx
The obtain a free Let’s Encrypt certificate for iRedMail mail server.
certbot certonly --standalone -d mail.haceganteknoloji.xyz --preferred-challenges http --agree-tos -n -m postmaster@haceganteknoloji.xyz –keep-until-expiring
The standard successful message for Let’s Encrypt outputs path to your certificates.
Installing the Certificate in Nginx
After obtaining a TLS certificate, let’s configure Nginx web server to use it. Edit the SSL template file.
sudo nano /etc/nginx/templates/ssl.tmpl
Find the following 2 lines.
ssl_certificate /etc/ssl/certs/iRedMail.crt; ssl_certificate_key /etc/ssl/private/iRedMail.key;
Replace them with:
ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem;
Save and close the file. Then test nginx configuration and reload.
sudo nginx -t
sudo systemctl reload nginx
Visit iRedMail admin panel again (https://mail.example.com/iredadmin/), your web browser won’t warn you any more because Nginx is now using a valid TLS certificate.
Installing TLS Certificate in Postfix and Dovecot
We also need to configure Postfix SMTP server and Dovecot IMAP server to use the Let’s Encrypt issued certificate so that desktop mail client won’t display security warning. Edit the main configuration file of Postfix.
sudo nano /etc/postfix/main.cf
Find the following 3 lines. (line 95, 96, 97).
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
Replace them with:
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.com/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.com/cert.pem smtpd_tls_CAfile = /etc/letsencrypt/live/mail.example.com/chain.pem
Save and close the file. Then reload Postfix.
sudo systemctl reload postfix
Next, edit the main configuration file of Dovecot.
sudo nano /etc/dovecot/dovecot.conf
Fine the following 2 lines. (line 47, 48)
ssl_cert = </etc/ssl/certs/iRedMail.crt ssl_key = </etc/ssl/private/iRedMail.key
Replace them with:
ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
Save and close the file. Then reload dovecot.
sudo systemctl reload dovecot
Set Certificate Automatic renewal
Create a cron job to automatically renew Let’s Encrypt certificates:
$ sudo crontab -e
# Renew Let's Encrypt certs
15 3 * * * /usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.