In our previous guide, we saw how one can install and configure iRedMail Server on CentOS 7. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.

For Debian: Install and Setup iRedMail Mail Server on Debian 10 (Buster)

When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.

In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.

Step 1: Obtain Let’s Encrypt Certificate

Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.

wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto

After installing certbot-auto tool, save the email address and the domain for iRedMail server.

DOMAIN="mail.computingforgeeks.com"
EMAIL="[email protected]"

Stop Nginx service.

sudo systemctl stop nginx

The obtain a free Let’s Encrypt certificate for iRedMail mail server.

sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

The standard successful message for Let’s Encrypt outputs path to your certificates.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.computingforgeeks.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.computingforgeeks.com/privkey.pem
   Your cert will expire on 2020-01-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 2: Replace iRedMail Self-signed certificates

Rename iRedMail.crt self-signed certificate and Private key.

sudo mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
sudo mv /etc/pki/tls/private/iRedMail.key{,.bak}

Create a symlink for the Let’s Encrypt certificate and private key.

sudo ln -sf /etc/letsencrypt/live/mail.computingforgeeks.com/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
sudo ln -sf  /etc/letsencrypt/live/mail.computingforgeeks.com/privkey.pem /etc/pki/tls/private/iRedMail.key

Restart your iRedMail server for services to use new certificate.

sudo reboot

After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

3 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here