Secure iRedMail Server with Let’s Encrypt SSL Certificate

In our previous guides, we saw how one can install and configure iRedMail Server. The default installation of iRedMail generates and install a self-signed SSL certificate for Mails services – POP3/IMAP/SMTP over TLS and for HTTPS access to webmail services.

When using a self-signed certificate, you’ll often get warning messages that the certificate in use is not trusted. To avoid these annoying messages, it is recommended to buy an SSL certificate from SSL certificate provider or get a free Let’s Encrypt certificate.

In this guide, we will use a free Let’s Encrypt SSL certificate to secure our iRedMail services. To be able to obtain a Let’s Encrypt SSL certificate, your server should have a public IP address and a DNS record pointing to the IP.

Step 1: Obtain Let’s Encrypt Certificate

Install certbot tool that will be used to obtain a Let’s Encrypt SSL certificate.

# Install certbot on Ubuntu /Debian
sudo apt update
sudo apt install certbot

# Install certbot on CentOS / Rocky
sudo yum -y install epel-release
sudo yum -y install certbot

After installing certbot-auto tool, save the email address and the domain for iRedMail server.

DOMAIN="mail.geeksforgeeks.org"
EMAIL="[email protected]"

Stop Nginx service.

sudo systemctl stop nginx

The obtain a free Let’s Encrypt certificate for iRedMail mail server.

sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

The standard successful message for Let’s Encrypt outputs path to your certificates.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.geeksforgeeks.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.geeksforgeeks.org/privkey.pem
   Your cert will expire on 2023-06-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Step 2: Replace iRedMail Self-signed certificates

Rename iRedMail.crt self-signed certificate and Private key.

sudo mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
sudo mv /etc/pki/tls/private/iRedMail.key{,.bak}

Create a symlink for the Let’s Encrypt certificate and private key.

sudo ln -sf /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
sudo ln -sf  /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/pki/tls/private/iRedMail.key

Restart your iRedMail server for services to use new certificate.

sudo reboot

Step 3: Set Certificate Automatic renewal

Create a cron job to automatically renew Let’s Encrypt certificates:

$ sudo crontab -e
# Renew Let's Encrypt certs
15 3 * * * /usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

After adding Let’s Encrypt SSL certificate, mail client application (MUA, e.g. Outlook, Thunderbird) should not warn you of invalid certificate. Same as access to Webmail clients on browser.

• How To Add Domains and User Accounts to iRedMail Mail Server