A self-signed SSL certificate is used by default with iRedMail. If you have installed iRedMail from our installation guide, or from the latest release, then installing SSL with Let’s Encrypt is recommended.
This guide will walk through the steps for installing Let’s Encrypt SSL for an iRedMail server running CentOS 7.
Step 1: Install Certbot
To install Let’s Encrypt SSL on your mail domain, start by installing cerbot.
First, the EPEL repo should be enabled:
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Next, install cerbot with the command:
# yum install certbot
Perform a dry run for your mail domain. By running this, cerbot will not install a certificate:
# certbot certonly --webroot --dry-run -w /var/www/html -d MAIL.MYDOMAIN.COM
Step 2: Install Let’s Encrypt SSL
If the dry-run in the previous step returns a successful result, proceed with requesting a certificate. Request the certificate using the webroot argument with certbot and your mail domain:
# certbot certonly --webroot -w /var/www/html -d MAIL.MYDOMAIN.COM
Next, the permissions for the directory must be changed:
# chmod 0644 /etc/letsencrypt/{live,archive}
Rename the certificate and key files generated by the iRedMail installer to .bak.
# mv /etc/pki/tls/certs/iRedMail.crt{,.bak}
# mv /etc/pki/tls/private/iRedMail.key{,.bak}
Then create a symbolic link to the Let’s Encrypt files at the files created during the iRedMail installation:
# ln -s /etc/letsencrypt/live/MAIL.MYDOMAIN.COM/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/MAIL.MYDOMAIN.COM/privkey.pem /etc/pki/tls/private/iRedMail.key
Step 3: Use the New Certificate
To start using the Let’s Encrypt SSL certificate, you must restart four services. The last two depend on the selections you made during the iRedMail installation:
# systemctl restart dovecot
# systemctl restart postfix
Depending on your selection during installation, restart httpd (Apache) or nginx:
# systemctl restart <SERVICE_NAME>
Depending on your selection during installation, restart mysqld, mariadb, postgresql, or slapd (OpenLDAP):
# systemctl restart <SERVICE_NAME>
Step 4: Automatically Renew the Certificate
Lastly, it is strongly suggested to create a cron job so that cerbot automatically renews the SSL certificate before expiration. Then it will restart the necessary services. Start by running:
# crontab -e
This will open a file with vi or nano text editor. Add the following line to the bottom of the file, with <SERVICE_NAME> replaced by nginx or httpd:
# @daily certbot renew --post-hook 'service postfix restart; service dovecot restart; service <SERVICE_NAME> restart'
Conclusion
You have now installed Let’s Encrypt SSL on your iRedMail server. This will be reflected when you visit webmail, the iRedMail admin panel, or Netdata. In addition, you can now add your email accounts to your email client using the secure ports, 993 for IMAP and 587 for SMTP.