Installing Let’s Encrypt SSL for iRedMail (CentOS 7)

A self-signed SSL certificate is used by default with iRedMail. If you have installed iRedMail from our installation guide or the latest release, installing SSL with Let's Encrypt is recommended.

This guide will walk through the steps for installing Let's Encrypt SSL for an iRedMail server running CentOS 7.

Step 1: Install Certbot

To install Let's Encrypt SSL on your mail domain, start by installing cerbot.
First, the EPEL repo should be enabled:

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Next, install cerbot with the command:

yum install certbot

Perform a dry run for your mail domain. By running this, cerbot will not install a certificate:

certbot certonly --webroot --dry-run -w /var/www/HTML -d **MAIL.MYDOMAIN.COM**

Step 2: Install Let's Encrypt SSL

If the dry-run in the previous step returns a successful result, proceed with requesting a certificate. Request the certificate using the webroot argument with certbot and your mail domain:

certbot certonly --webroot -w /var/www/HTML -d **MAIL.MYDOMAIN.COM**

Next, the permissions for the directory must be changed:

chmod 0644 /etc/letsencrypt/{live,archive}

Rename the certificate and key files generated by the iRedMail installer to .bak.

mv /etc/pki/tls/certs/iRedMail.crt{,.bak}

mv /etc/pki/tls/private/iRedMail.key{,.bak}

Then create a symbolic link to the Let's Encrypt files at the files created during the iRedMail installation:

ln -s /etc/letsencrypt/live/**MAIL.MYDOMAIN.COM**/fullchain.pem /etc/pki/tls/certs/iRedMail.crt

ln -s /etc/letsencrypt/live/**MAIL.MYDOMAIN.COM**/privkey.pem /etc/pki/tls/private/iRedMail.key

Step 3: Use the New Certificate

To start using the Let's Encrypt SSL certificate, you must restart four services. The last two depend on the selections you made during the iRedMail installation:

systemctl restart dovecot

systemctl restart postfix

Depending on your selection during installation, restart httpd (Apache) or Nginx:

systemctl restart <SERVICE_NAME>

Depending on your selection during installation, restart mysqld, mariadb, PostgreSQL, or slapd (OpenLDAP):

systemctl restart <SERVICE_NAME>

Step 4: Automatically Renew the Certificate

Lastly, it is strongly suggested to create a cron job so that cerbot automatically renews the SSL certificate before expiration. Then it will restart the necessary services. Start by running:

crontab -e

This will open a file with a vi or nano text editor. Add the following line to the bottom of the file, with \ replaced by Nginx or httpd:

@daily certbot renew --post-hook 'service postfix restart; service dovecot restart; service <SERVICE_NAME> restart'

Conclusion

You have now installed Let's Encrypt SSL on your iRedMail server. This will be reflected when you visit webmail, the iRedMail admin panel, or Netdata. In addition, you can now add your email accounts to your email client using the secure ports, 993 for IMAP and 587 for SMTP.