You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

In our previous guide, we saw how one can install and configure iRedMail Server on CentOS 7. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.

For Debian: Install and Setup iRedMail Mail Server on Debian 10 (Buster)

When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.

In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.

Step 1: Obtain Let’s Encrypt Certificate

Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.

chmod +x certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto

After installing certbot-auto tool, save the email address and the domain for iRedMail server.

EMAIL="[email protected]"

Stop Nginx service.

sudo systemctl stop nginx

The obtain a free Let’s Encrypt certificate for iRedMail mail server.

sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

The standard successful message for Let’s Encrypt outputs path to your certificates.

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-01-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

Step 2: Replace iRedMail Self-signed certificates

Rename iRedMail.crt self-signed certificate and Private key.

sudo mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
sudo mv /etc/pki/tls/private/iRedMail.key{,.bak}

Create a symlink for the Let’s Encrypt certificate and private key.

sudo ln -sf /etc/letsencrypt/live/ /etc/pki/tls/certs/iRedMail.crt
sudo ln -sf  /etc/letsencrypt/live/ /etc/pki/tls/private/iRedMail.key

Restart your iRedMail server for services to use new certificate.

sudo reboot

After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF