Tired of “untrusted certificate” warnings in your email client? Replace iRedMail’s self-signed SSL certificates with free Let’s Encrypt certificates. Step-by-step guide for Rocky Linux, Ubuntu, and more.
You’ve just set up iRedMail and created your first email account. You open Apple Mail, Outlook, or Thunderbird, add your account, and… a warning appears:
“Unable to verify server identity” or “Certificate is not trusted”
Your email works, but that warning is annoying at best and alarming to non-technical users at worst. Some email clients like Apple Mail may even refuse to connect at all.
The culprit? iRedMail’s default self-signed SSL certificate. While secure for encryption, these certificates aren’t trusted by any operating system or browser because they weren’t issued by a recognized Certificate Authority (CA).
In this guide, I’ll show you how to replace self-signed certificates with free Let’s Encrypt certificates that are automatically trusted by every email client and device worldwide.
Prerequisites
- Root or sudo access to your iRedMail server
- A domain name with DNS A record pointing to your server
- Port 80 available (temporarily for certificate issuance)
- iRedMail installed and running
Why Let’s Encrypt?
| Feature | Self-Signed | Let’s Encrypt |
|---|---|---|
| Cost | Free | Free |
| Trusted by clients | ❌ No | ✅ Yes |
| Auto-renewal | ❌ Manual | ✅ Automatic |
| Security warnings | ❌ Yes | ✅ No |
| Setup time | Already there | 10 minutes |
Step-by-Step Installation
Step 1: Install Certbot
Rocky Linux 10.1, RHEL 10, CentOS 10, Fedora:
bash
sudo dnf install epel-release -y sudo dnf install certbot python3-certbot -y
Ubuntu/Debian:
bash
sudo apt update sudo apt install certbot -y
Step 2: Stop Nginx Temporarily
iRedMail uses Nginx as its web server. We’ll stop it briefly to issue the certificate:
bash
sudo systemctl stop nginx
Step 3: Obtain Let’s Encrypt Certificate
bash
sudo certbot certonly --standalone \ -d mail.yourdomain.com \ --email admin@yourdomain.com \ --agree-tos \ --no-eff-email
Replace:
mail.yourdomain.comwith your actual mail server hostnameadmin@yourdomain.comwith your email address
Expected output:
text
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
Step 4: Start Nginx
bash
sudo systemctl start nginx
Configuring Postfix
bash
# Update Postfix SSL configuration sudo postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem" sudo postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem" # Restart Postfix sudo systemctl restart postfix # Verify the configuration sudo postconf | grep smtpd_tls_cert
Expected output:
text
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
Configuring Dovecot
bash
# Backup original configuration sudo cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.bak # Edit Dovecot SSL configuration sudo nano /etc/dovecot/conf.d/10-ssl.conf
Find and update these lines:
dovecot
ssl_cert = </etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
For iRedMail on Rocky Linux/RHEL/CentOS/Fedora, also update the main configuration:
bash
sudo nano /etc/dovecot/dovecot.conf
Update the same lines:
dovecot
ssl_cert = </etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem ssl_key = </etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
Restart Dovecot:
bash
sudo systemctl restart dovecot
Configuring Nginx (iRedMail Web Interface)
bash
# Copy certificates for web services sudo cp /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem /etc/pki/tls/certs/iRedMail.crt sudo cp /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem /etc/pki/tls/private/iRedMail.key # Set proper permissions sudo chmod 644 /etc/pki/tls/certs/iRedMail.crt sudo chmod 640 /etc/pki/tls/private/iRedMail.key # Restart Nginx sudo systemctl restart nginx
Firewall Configuration
Ensure the firewall allows necessary ports:
Firewalld (Rocky Linux/RHEL/CentOS/Fedora):
bash
sudo firewall-cmd --permanent --add-service={http,https,smtp,smtp-submission,smtps,imaps,pop3s}
sudo firewall-cmd --reload
UFW (Ubuntu/Debian):
bash
sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow 25/tcp sudo ufw allow 465/tcp sudo ufw allow 587/tcp sudo ufw allow 993/tcp sudo ufw allow 995/tcp
Verification Steps
Test 1: SMTP with STARTTLS (Port 587)
bash
openssl s_client -connect mail.yourdomain.com:587 -starttls smtp -servername mail.yourdomain.com 2>/dev/null | grep -E "verify return code|CN="
Expected output:
text
verify return code: 0 (ok) CN=mail.yourdomain.com
Test 2: SMTPS (Port 465)
bash
openssl s_client -connect mail.yourdomain.com:465 -servername mail.yourdomain.com 2>/dev/null | grep -E "verify return code|CN="
Test 3: IMAPS (Port 993)
bash
openssl s_client -connect mail.yourdomain.com:993 -servername mail.yourdomain.com 2>/dev/null | grep -E "verify return code|CN="
Test 4: HTTPS Web Interface
Open your browser and navigate to https://mail.yourdomain.com. Click the padlock icon. You should see “Connection is secure” with a valid certificate.
Automatic Renewal Setup
Certbot automatically sets up renewal. Verify it:
bash
# Check if renewal is scheduled sudo systemctl list-timers | grep certbot # Test renewal process (dry run) sudo certbot renew --dry-run
Manual cron job (if needed):
bash
sudo crontab -e
Add this line:
cron
0 2 * * * certbot renew --quiet --post-hook "systemctl restart postfix dovecot nginx"
Troubleshooting
| Issue | Solution |
|---|---|
| Port 80 already in use | sudo systemctl stop nginx before certbot |
| SELinux blocking certbot | sudo dnf install certbot-selinux -y |
| Certificate not trusted | Wait a few minutes for DNS propagation |
| Wrong hostname | Verify DNS A record: dig mail.yourdomain.com |
| Firewall blocking | Ensure ports 80/443 are open temporarily |
Email Client Configuration (After SSL Fix)
Apple Mail
| Setting | Value |
|---|---|
| Incoming Server | mail.yourdomain.com |
| Incoming Port | 993 |
| Incoming SSL | ON |
| Outgoing Server | mail.yourdomain.com |
| Outgoing Port | 465 |
| Outgoing SSL | ON |
Microsoft Outlook
| Setting | Value |
|---|---|
| Incoming Server | mail.yourdomain.com:993 |
| Encryption | SSL/TLS |
| Outgoing Server | mail.yourdomain.com:465 |
| Encryption | SSL/TLS |
Thunderbird
| Setting | Value |
|---|---|
| Incoming Server | mail.yourdomain.com |
| Incoming Port | 993 |
| Connection Security | SSL/TLS |
| Outgoing Server | mail.yourdomain.com |
| Outgoing Port | 465 |
| Connection Security | SSL/TLS |
Conclusion
You’ve successfully replaced iRedMail’s self-signed certificates with trusted Let’s Encrypt certificates. Your email server now:
- ✅ No more security warnings in any email client
- ✅ Valid SSL certificates trusted globally
- ✅ Automatic renewal every 90 days
- ✅ Professional email experience for all users
Next Steps
- Test email sending and receiving from all devices
- Set up SPF, DKIM, and DMARC for better deliverability
- Configure backup MX if needed