If you’re running your own mail server, it’s best practice to connect to it securely with an SSL/TLS connection. You’ll need a valid certificate for these secure connections. In this tutorial, we’ll set up a Let’s Encrypt certificate for our mail server that renews automatically.
Warning: This tutorial is based on this tutorial: but modified so you have a separate certificate for your mail server and control panel. If you have followed that tutorial before, this tutorial might break your setup.
This tutorial uses certificates issued by acme.sh. If you are using certbot, follow this tutorial instead:
Note for ISPConfig 3.2: ISPConfig 3.2 is able to create a valid Let’s Encrypt SSL certificate for the server hostname automatically during installation, which is used for the mail server as well. There is no need to manually create a Let’s Encrypt SSL certificate as described here on ISPConfig 3.2 systems unless you need different domain names in the SSL certificate beside the server hostname.
Prerequisites
- Your server should be installed according to the Perfect Server tutorial for your OS.
- Make sure you’re logged in as root user.
Getting started
I will be using the following hostnames for my mailserver: mail.example.com, smtp.example.com, imap.example.com.
Replace all red underlined hostnames in this tutorial with your own.
Create the DNS records for your hostname(s), so they point to your server. These should be A (and eventually AAAA) records. Then, in the ISPConfig interface, go to the Sites tab.
Issuing the certificate
Under Sites, click “Add new website”. Set mail.example.com as domain. Disable Auto-Subdomain, and check the Let’s Encrypt checkbox.
After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking “Add new aliasdomain”. Select smtp.example.com as domain, and mail.example.com as parent website. Disable Auto-Subdomain and save the new record. Repeat this for eventual your other hostnames.
Verify that the certificate is in place. You can do this with a tool like
It should look something like this:
If the hostname(s) are listed and there are no other errors, you can proceed. Otherwise, check the errors and resolve them before going further.
Replacing the certificate with the Let’s Encrypt certificate
Now we can replace the current certificate with your trusted certificate. Log in to your server and run these commands:
(replace mail.example.com with the hostname you used for the website)
cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /root/.acme.sh/mail.example.com/fullchain.cer smtpd.cert
ln -s /root/.acme.sh/mail.example.com/mail.example.com.key smtpd.key
systemctl restart postfix
systemctl restart dovecot
The certificate should now be used for your Postfix and Dovecot server. But we are not done yet! The Let’s Encrypt certificate renews every 60 days, so we should automate the process of replacing the certificate in the future, so you can’t forget about it.
Multiserver nodes without ISPConfig GUI
If this is a node without GUI in an ISPConfig multiserver setup, you must now check if ISPConfig itself has an SSL certificate. Do not do this step on a single server setup or a server that runs an ISPConfig GUI.
You can do the test with the following ls commands:
cd /usr/local/ispconfig/interface/ssl/
ls ispserver.crt
ls ispserver.key
The result will like this is there is already a certificate:
root@server:/usr/local/ispconfig/interface/ssl# ls ispserver.crt
ispserver.crt
root@server:/usr/local/ispconfig/interface/ssl# ls ispserver.key
ispserver.key
If the two ls commands do not return the ispserver.crt and ispserver.key files, then create them as symlinks to the Let’s Encrypt certificate like this:
ln -s /root/.acme.sh/mail.example.com/fullchain.cer ispserver.crt
ln -s /root/.acme.sh/mail.example.com/mail.example.com.key ispserver.key
Set up an automatic renewal script
Open a new script file:
nano /etc/init.d/le_mailserver_restart.sh
Paste this in that file:
#!/bin/sh
### BEGIN INIT INFO
# Provides: LE MAILSERVER CERT AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE MAILSERVER CERT AUTO UPDATER
# Description: Restart mail server automatically when a new Let's Encrypt certificate is issued.
### END INIT INFO
systemctl restart postfix
systemctl restart dovecot
Make the script executable:
chmod +x /etc/init.d/le_mailserver_restart.sh
To automatically trigger this script on renewal, we are going to use systemd.
Create and open the new systemd service:
nano /etc/systemd/system/le-mailserver-restart.service
Paste this in that file:
[Unit]
Description="Run script to restart Postfix and Dovecot after the certificate has been renewed"[Service]
ExecStart=/etc/init.d/le_mailserver_restart.sh
Save and close this file. Then create and open the new systemd path file:
nano /etc/systemd/system/le-mailserver-restart.path
Paste this in that file and replace mail.example.com with the hostname you used:
[Unit]
Description="Monitor the mailserver certificate files to trigger a e-mail services restart after the certificates has been renewed"[Path]
PathModified=/root/.acme.sh/mail.example.com/
Unit=le-mailserver-restart.service[Install]
WantedBy=multi-user.target
Save and close this file. Then start the service and enable it so it runs on startup:
systemctl start le-mailserver-restart.path
And enable it so it runs on startup:
systemctl enable le-mailserver-restart.path
And we’re done!
Not working?
I once had a problem with this, because Let’s Encrypt used one of the alias domains as main domain. You can find the main domain in the earlier mentioned SSL tool as “Common name” or by listing the content of /root/acme.sh/ to see which of the (alias)domains has a folder there.
If you still experience a problem, open a thread on the forum so others can help you out.