Install SSL Certificate for iRedMail

Suppose we have a signed SSL certificate, or we will receive it from Let’s Encrypt, as I described in this article:
Installing Certbot in Ubuntu

To install an SSL certificate for iRedMail, you need to specify it in the Dovecot, Postfix and Apache2 configuration.

Specify the certificate in Dovecot, to do this, open the configuration file in a text editor:

sudo nano /etc/dovecot/dovecot.conf

Find the lines:

ssl_cert = </etc/ssl/certs/iRedMail.crt
ssl_key = </etc/ssl/private/iRedMail.key

And change them to your certificate (say, from Let’s Encrypt):

#ssl_ca = </etc/letsencrypt/live/
ssl_cert = </etc/letsencrypt/live/
ssl_key = </etc/letsencrypt/live/

The line where ssl_dh is left unchanged.

Now open the Postfix configuration:

sudo nano /etc/postfix/

Find the lines:

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_CApath = /etc/ssl/certs

And change them to your certificate (say, from Let’s Encrypt):

smtpd_tls_key_file = /etc/letsencrypt/live/
smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_CAfile = /etc/letsencrypt/live/
smtpd_tls_CApath = /etc/letsencrypt/live/

Well, it remains to open the configuration of Apache2:

sudo nano /etc/apache2/sites-enabled/default-ssl.conf

Find strings:

SSLCertificateFile /etc/ssl/certs/iRedMail.crt
SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

And change them:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

To apply the changes, restart Dovecot, Postfix, Apache2 and make sure that they are successfully launched:

sudo service dovecot restart
sudo service postfix restart
sudo service apache2 restart
sudo service dovecot status
sudo service postfix status
sudo service apache2 status

This completes the installation of your SSL certificate for iRedMail.

Since postfix and dovecot must be restarted after each certificate renewal, we will specify the –post-hook option for the certbot renew command, for example, in /etc/crontab:

15 7 * * 1 root certbot renew --post-hook "service postfix restart; service dovecot restart" >> /var/log/certbot-renew.log

See also my articles:
How to renew SSL certificate on iRedMail
Google error “Failed to establish SSL secure connection to host”

Join the Conversation

1 Comment

Leave a Reply

  1. Thank you for your blog, but what if for multiple domains? Do you have any articles that can be read? Thank you.