TLS Certificate Installation

TLS Certificate Installation

Once we install TLS certificate for the email server, the security warning will disappear when we access the web-based panels.


a. Install Certbot and Obtain TLS Certificate

1. Before installing TLS certificate, install software-properties-common if not installed, by running the command on PuTTY SSH client or any Linux terminal:

root@mail:~# apt install software-properties-common
Install Software Properties Common

As you see, it’s already there which means it got installed during the installation of iRedMail.

2. Then, install Certbot by running the below command:

root@mail:~# apt install certbot python3-certbot-nginx
Install Certbot Nginx Server

Sometimes you get a prompt to confirm the installation by typing: y, or: Y.

3. Request the certificate by running the below command. You need to replace the email address and the domain in red with your own email address and your domain. For this purpose, you can use any email address instead of: postmaster@vpsprof.com.

root@mail:~# certbot certonly --webroot --agree-tos --email postmaster@vpsprof.com -d mail.vpsprof.com -w /var/www/html/
Request TLS Certificate Email Subscription

You will be asked to share your email address with the Electronic Frontier Foundation to receive updates about their wok and news. It’s up to you, we will not share the email, so we will type: N, or: n, then hit Enter key. If you would like to share your email, type: Y, or y then hit Enter key.

Request TLS Certificate Successfully Done

And here it’s done successfully! The certificate has been saved in the directory: /etc/letsencrypt/live/mail.vpsprof.com. If you fail to obtain the TLS certificate, it might be because your DNS records are not propagated, it takes up to 48 hours to propagate.

b. Nginx TLS Configuration

1. You need to edit Nginx SSL template file in order to configure Nginx web server to use the generated certificate. Open it by running the below command then hit Enter key.

root@mail:~# nano /etc/nginx/templates/ssl.tmpl

After that, find the below lines, the file is small so you can find them easily. In case the file is big, just press: Ctrl+w to search for any text inside the file. After that, type the text you want to search for. Then, hit Enter key. We’re explaining this with screen shots later on this article.

ssl_certificate /etc/ssl/certs/iRedMail.crt; 
ssl_certificate_key /etc/ssl/private/iRedMail.key;

Comment them by adding a hash symbol (#) at the beginning of each line then add the following lines below them. Don’t forget to replace vpsprof.com domain in red with your own domain.

ssl_certificate /etc/letsencrypt/live/mail.vpsprof.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/mail.vpsprof.com/privkey.pem;

After editing the file, it should look like below. Close the file and save the changes as we explained before: Ctrl+x, after that: Y (or: y), then hit Enter key.

Configure Nginx to Use TLS Certificate

2. We need to reload Nginx server. But, before we do that, we should make sure that the configuration has no errors. In case you reload the server with errors, it will stop working. That’s why you need to be careful and always test the configuration before loading Nginx server. To test the configuration, run the below command:

root@mail:~# nginx -t
Text Nginx Configuration OK

As you see, the configuration has no syntax errors, so we can reload it now safely by running the command:

root@mail:~# service nginx reload
Reload Nginx Server

Nginx will not show any notification after the reload process. To make sure it’s running, run the command:

root@mail:~# service nginx status
Chek Nginx Server Status

As you see, it’s active (running).

Now, if you visit any of the web-based panels, you will not see any of the privacy certificate warning. Also, the http domain (http://mail.vpsprof.com/mail/) will be redirected to https domain (https://mail.vpsprof.com/mail/)

No Privacy Warning After TLS Certificate Installation

c. Postfix TLS Configuration

1. Postfix service is the sending service for the email server. Go to the file below (open it).

root@mail:~# nano /etc/postfix/main.cf

Locate the below lines and comment them by adding hash (#) symbol at the beginning of each line.

smtpd_tls_key_file = /etc/ssl/private/iRedMail.key 
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt 
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt

The file is big, so you can’t locate the lines easily without searching. We will search for: smtpd_tls_key_file. So, copy it first by pressing: Ctrl+v. After that, go to the file on the console and press Ctrl+w, the search prompt will show up as below:

Search Text in Nano File Ctrl+w

Then, click single right mouse click anywhere on the file to paste the copied text as below:

Paste Text in Linux Nano File

Here’s the result of the search:

Search Text in Linux Nano File Result

Add the following lines below them (by moving the cursor inside the file using arrow keys below the lines that we commented then click a single right mouse click anywhere in the file to paste the copied text at the cursor’s position). Don’t forget to replace vpsprof.com domain in red with your own domain.

smtpd_tls_key_file = /etc/letsencrypt/live/mail.vpsprof.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.vpsprof.com/cert.pem 
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.vpsprof.com/chain.pem

The file will look like below after the change:

Install TLS Certificate on Postfix

Close the file and save the changes: Ctrl+x, then: Y (or: y), then hit Enter key.

2. Now, reload the Postfix service by running the command:

root@mail:~# service postfix reload
Reload Postfix Server

To check if the Postfix server is running, run the command:

root@mail:~# service postfix status
Check Postfix Server Status

As you see, it’s active.

d. Dovecot TLS Configuration

1. Open the configuration by running the below command:

root@mail:~# nano /etc/dovecot/dovecot.conf

Find the below lines, comment them as we did before.

ssl_cert = </etc/ssl/certs/iRedMail.crt 
ssl_key = </etc/ssl/private/iRedMail.key

Add the following lines below them and replace the domain in red with your own domain.

ssl_cert = </etc/letsencrypt/live/mail.vpsprof.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.vpsprof.com/privkey.pem

The file will look like this after the changes applied, save the changes as we did before.

Install TLS Certificate on Dovecot

2. Reload the Dovecot server by running the blow command:

root@mail:~# service dovecot reload
Reload Dovecot Server

Check the status of Dovecot server by running the command:

root@mail:~# service dovecot status
Check Dovecot Server Status

Press Ctrl+c to exit and go back to terminal prompt, it should look like this after you exit:

Check Dovecot Server Status Exit

e. Verify the Installation

1. Now, test that everything is working well, send a test email. If you get an error: smtp error (454) authentication failed, when sending from Roundcube, then there’s a problem inside the file: /etc/postfix/main.cf on the Postfix server (go back to step C), make sure that the domain is correct, once you correct the error, restart the Postfix server as we did before then try again to send a test email.

2. You need to make sure that port 25 is enabled by running the command:

root@mail:~# telnet gmail-smtp-in.l.google.com 25

If it’s open, you should see an output like below:

Telnet Check if Port 25 is Open

To exit the current Telnet session, press: Ctrl+]. The command prompt will show as: telnet> as below:

Close Telnet Session Ctrl with Right Bracket

To go back to the terminal command prompt (root@mail:~#), type: close as below:

Back to Linux Terminal from Telnet

f. Renew TLS Certificate

To keep the TLS certificate up to date, do the following:

1. Go to cron jobs file by running the command:

crontab -e

You will be asked to choose which editor to use in order to view the content of the cron jobs file. Type: 1 then hit Enter key.

Open Crontab for the First Time

The file will look like below:

Crontab File Content

Add the below at the end of the file. Note that the reload for the Postfix, Dovecot and Nginx is necessary to make these programs pick up the new certificate and the private key.

@daily certbot renew --quiet && systemctl reload postfix dovecot nginx

The file should look like below after the change:

Crontab Renew TLS Certificate Daily

Now, we’re done, just close the file and save the changes as usual: Ctrl+x -> type: y -> hit Enter key.

In this next article, we will will improve email deliverability so our emails won’t be labeled as spam.

Leave a Comment

Your email address will not be published.