In our previous guide, we saw how one can install and configure iRedMail Server on CentOS 7. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.

For Debian: Install and Setup iRedMail Mail Server on Debian 10 (Buster)

When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.

In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.

Step 1: Obtain Let’s Encrypt Certificate

Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.

wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto

After installing certbot-auto tool, save the email address and the domain for iRedMail server.

DOMAIN="mail.computingforgeeks.com"
EMAIL="[email protected]"

Stop Nginx service.

sudo systemctl stop nginx

The obtain a free Let’s Encrypt certificate for iRedMail mail server.

sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

The standard successful message for Let’s Encrypt outputs path to your certificates.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.computingforgeeks.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.computingforgeeks.com/privkey.pem
   Your cert will expire on 2020-01-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 2: Replace iRedMail Self-signed certificates

Rename iRedMail.crt self-signed certificate and Private key.

sudo mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
sudo mv /etc/pki/tls/private/iRedMail.key{,.bak}

Copy your Let’s Encrypt certificate

sudo cp /etc/letsencrypt/live/mail.computingforgeeks.com/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
sudo cp  /etc/letsencrypt/live/mail.computingforgeeks.com/privkey.pem /etc/pki/tls/private/iRedMail.key

Restart your iRedMail server for services to use new certificate.

sudo reboot

After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.

RELATED ARTICLESMORE FROM AUTHOR