Install SSL Certificate for iRedMail

Suppose we have a signed SSL certificate, or we will receive it from Let’s Encrypt, as I described in this article:
Installing Certbot in Ubuntu

To install an SSL certificate for iRedMail, you need to specify it in the Dovecot, Postfix and Apache2 configuration.

Specify the certificate in Dovecot, to do this, open the configuration file in a text editor:

sudo nano /etc/dovecot/dovecot.conf

Find the lines:

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

And change them to your certificate (say, from Let’s Encrypt):

ssl_ca = </etc/letsencrypt/live/ixnfo.com/chain.pem
ssl_cert = </etc/letsencrypt/live/ixnfo.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/ixnfo.com/privkey.pem

The line where ssl_dh is left unchanged.

Now open the Postfix configuration:

sudo nano /etc/postfix/main.cf

Find the lines:

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs

And change them to your certificate (say, from Let’s Encrypt):

smtpd_tls_key_file = /etc/letsencrypt/live/ixnfo.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/ixnfo.com/fullchain.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/ixnfo.com/chain.pem
smtpd_tls_CApath = /etc/letsencrypt/live/ixnfo.com

Well, it remains to open the configuration of Apache2:

sudo nano /etc/apache2/sites-enabled/default-ssl.conf

Find strings:

SSLCertificateFile /etc/ssl/certs/iRedMail.crt
SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

And change them:

SSLCertificateFile /etc/letsencrypt/live/ixnfo.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ixnfo.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ixnfo.com/chain.pem

To apply the changes, restart Dovecot, Postfix, Apache2 and make sure that they are successfully launched:

sudo service dovecot restart
sudo service postfix restart
sudo service apache2 restart
sudo service dovecot status
sudo service postfix status
sudo service apache2 status

This completes the installation of your SSL certificate for iRedMail.

Since postfix and dovecot must be restarted after each certificate renewal, we will specify the –post-hook option for the certbot renew command, for example, in /etc/crontab:

15 7 * * 1 root certbot renew --post-hook "service postfix restart; service dovecot restart" >> /var/log/certbot-renew.log

See also my articles:
How to renew SSL certificate on iRedMail
Google error “Failed to establish SSL secure connection to host”

Leave a comment

Leave a Reply