+1 909 277 6076 support@otsglobal.org

How to Set Up Let’s Encrypt SSL for iRedMail on Rocky Linux 10.1, RHEL, CentOS, Fedora, and Ubuntu

May 22, 2026 | Advanced Linux Scripting, Learn Linux in practical way | 0 comments

Introduction

iRedMail is a powerful open-source mail server solution that comes with self-signed SSL certificates by default. While self-signed certificates work, they trigger security warnings in email clients like Apple Mail, Outlook, and Thunderbird. This tutorial will guide you through replacing self-signed certificates with trusted Let’s Encrypt certificates for a professional, warning-free email experience.

Why Let’s Encrypt?

  • Free and trusted – Automatically trusted by all major email clients
  • Auto-renewing – 90-day certificates with automated renewal
  • Improved security – Modern TLS standards
  • No more warnings – Eliminates “untrusted certificate” errors

Prerequisites

  • iRedMail installed and configured
  • Port 80 available (temporarily for certificate issuance)
  • DNS A record pointing to your server (e.g., mail.yourdomain.com)
  • Root or sudo access

Step 1: Install Certbot

Rocky Linux 10.1, RHEL 10, CentOS 10, Fedora

# Enable EPEL repository (if not already enabled)
sudo dnf install epel-release -y

# Install certbot
sudo dnf install certbot python3-certbot -y

Ubuntu/Debian

# Update package list
sudo apt update

# Install certbot
sudo apt install certbot -y

Step 2: Obtain Let’s Encrypt Certificate

Option A: Standalone Mode (Recommended – Stop web server temporarily)

# Stop Nginx/Apache (iRedMail uses Nginx)
sudo systemctl stop nginx

# Obtain certificate
sudo certbot certonly --standalone \
  -d mail.yourdomain.com \
  --email admin@yourdomain.com \
  --agree-tos \
  --no-eff-email

# Start Nginx
sudo systemctl start nginx

Option B: Webroot Mode (No service interruption)

# Create webroot directory
sudo mkdir -p /var/www/html/.well-known/acme-challenge

# Obtain certificate using webroot
sudo certbot certonly --webroot \
  -w /var/www/html \
  -d mail.yourdomain.com \
  --email admin@yourdomain.com \
  --agree-tos \
  --no-eff-email

Note: Replace mail.yourdomain.com with your actual mail server hostname and admin@yourdomain.com with your email address.

Step 3: Configure Postfix to Use Let’s Encrypt Certificates

# Update Postfix SSL configuration
sudo postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem"
sudo postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem"

# Restart Postfix
sudo systemctl restart postfix

Step 4: Configure Dovecot to Use Let’s Encrypt Certificates

# Backup original configuration
sudo cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.bak

# Edit Dovecot SSL configuration
sudo nano /etc/dovecot/conf.d/10-ssl.conf

Update the following lines:

ssl_cert = </etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.yourdomain.com/privkey.pem

For Rocky Linux/RHEL/CentOS/Fedora with iRedMail, also update the main configuration:

sudo nano /etc/dovecot/dovecot.conf

Find and update:

ssl_cert = </etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.yourdomain.com/privkey.pem

Restart Dovecot:

sudo systemctl restart dovecot

Step 5: Configure iRedMail Web Interface (Roundcube/phpMyAdmin/etc.)

# Copy certificates for web services
sudo cp /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem /etc/pki/tls/certs/iRedMail.crt
sudo cp /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem /etc/pki/tls/private/iRedMail.key

# Set proper permissions
sudo chmod 644 /etc/pki/tls/certs/iRedMail.crt
sudo chmod 640 /etc/pki/tls/private/iRedMail.key

# Restart Nginx
sudo systemctl restart nginx

Step 6: Configure Firewall (if necessary)

# Ensure firewall allows HTTPS and mail ports
sudo firewall-cmd --permanent --add-service={http,https,smtp,smtp-submission,smtps,imaps,pop3s}
sudo firewall-cmd --reload

For Ubuntu (using UFW):

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 25/tcp
sudo ufw allow 465/tcp
sudo ufw allow 587/tcp
sudo ufw allow 993/tcp
sudo ufw allow 995/tcp

Step 7: Verify SSL Configuration

Test SMTP with STARTTLS (Port 587)

openssl s_client -connect mail.yourdomain.com:587 -starttls smtp -servername mail.yourdomain.com 2>/dev/null | grep -E "verify return code|CN="

Expected output:

verify return code: 0 (ok)
CN=mail.yourdomain.com

Test SMTPS (Port 465)

openssl s_client -connect mail.yourdomain.com:465 -servername mail.yourdomain.com 2>/dev/null | grep -E "verify return code|CN="

Test IMAPS (Port 993)

openssl s_client -connect mail.yourdomain.com:993 -servername mail.yourdomain.com 2>/dev/null | grep -E "verify return code|CN="

Step 8: Configure Automatic Certificate Renewal

Certbot automatically sets up a cron job or systemd timer. Verify it:

# Check if renewal is scheduled
sudo systemctl list-timers | grep certbot

# Test renewal process (dry run)
sudo certbot renew --dry-run

For manual cron job (if needed):

sudo crontab -e

Add this line to renew daily and restart services:

0 2 * * * certbot renew --quiet --post-hook "systemctl restart postfix dovecot nginx"

Step 9: Fix Postfix-Dovecot SASL Authentication Socket (Important!)

After installing Let’s Encrypt certificates, ensure SASL authentication is working:

# Enable SASL authentication in Postfix
sudo postconf -e "smtpd_sasl_auth_enable = yes"
sudo postconf -e "smtpd_sasl_type = dovecot"
sudo postconf -e "smtpd_sasl_path = private/dovecot-auth"

# Check if the auth socket exists
ls -la /var/spool/postfix/private/dovecot-auth

# If missing, ensure Dovecot creates it
sudo nano /etc/dovecot/conf.d/10-master.conf

Make sure the service auth section contains:

service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
    mode = 0666
    user = postfix
    group = postfix
  }
}

Then restart services:

sudo systemctl restart dovecot postfix

Troubleshooting Common Issues

Issue 1: Port 80 Already in Use

sudo systemctl stop nginx
sudo certbot certonly --standalone -d mail.yourdomain.com
sudo systemctl start nginx

Issue 2: SELinux Blocking Certbot (Rocky Linux/RHEL/CentOS/Fedora)

# Install SELinux policy for certbot
sudo dnf install certbot-selinux -y

# Or temporarily set SELinux to permissive
sudo setenforce 0
# After certificate is obtained, re-enable
sudo setenforce 1

Issue 3: Auth Socket Permission Denied

# Fix socket permissions
sudo chown postfix:postfix /var/spool/postfix/private
sudo chmod 755 /var/spool/postfix/private
sudo systemctl restart dovecot postfix

Issue 4: Firewall Blocking Connections

# Open required ports
sudo firewall-cmd --permanent --add-service={smtp-submission,smtps}
sudo firewall-cmd --reload

Email Client Configuration

After successful SSL setup, configure your email clients with:

SettingValue
IMAP Servermail.yourdomain.com
IMAP Port993
IMAP SecuritySSL/TLS
SMTP Servermail.yourdomain.com
SMTP Port465 or 587
SMTP SecuritySSL/TLS (for 465) or STARTTLS (for 587)
AuthenticationPassword
Usernamefull@email.com

Verification Checklist

  • [ ] Certbot successfully obtained certificate
  • [ ] Postfix shows verify return code: 0
  • [ ] Dovecot shows verify return code: 0
  • [ ] Nginx uses new certificate
  • [ ] Auto-renewal is configured
  • [ ] SASL authentication works
  • [ ] Email clients connect without warnings

Conclusion

You have successfully replaced iRedMail’s self-signed certificates with trusted Let’s Encrypt certificates. Your email server now:

  • ✅ Uses trusted SSL certificates
  • ✅ No more security warnings in email clients
  • ✅ Certificates auto-renew every 90 days
  • ✅ Supports modern TLS protocols
  • ✅ Works with all major email clients

Your users can now enjoy a professional email experience without certificate warnings, regardless of their location or device.

Additional Resources

This guide was tested on Rocky Linux 10.1, RHEL 10, CentOS Stream 10, Fedora 40+, and Ubuntu 24.04 LTS with iRedMail 1.7.0+

Submit a Comment

Your email address will not be published. Required fields are marked *