Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate

If you're running your own mail server, it's best practice to connect to it securely with an SSL/TLS connection. You'll need a valid certificate for these secure connections. In this tutorial, we'll set up a Let's Encrypt certificate for our mail server that renews automatically.

Warning: This tutorial is based on this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ but modified so you have a separate certificate for your mail server and control panel. If you have followed that tutorial before, this tutorial might break your setup.

This tutorial uses certificates issued by acme.sh. If you are using certbot, follow this tutorial instead: https://www.howtoforge.com/community/threads/securing-your-ispconfig-3-managed-mailserver-with-a-valid-lets-encrypt-ssl-certificate-certbot.86372/

Note for ISPConfig 3.2: ISPConfig 3.2 is able to create a valid Let's Encrypt SSL certificate for the server hostname automatically during installation, which is used for the mail server as well. There is no need to manually create a Let's Encrypt SSL certificate as described here on ISPConfig 3.2 systems unless you need different domain names in the SSL certificate beside the server hostname.

Prerequisites

• Your server should be installed according to the Perfect Server tutorial for your OS.
• Make sure you're logged in as root user.

Getting started

I will be using the following hostnames for my mailserver: mail.example.com, smtp.example.com, imap.example.com.

Replace all red underlined hostnames in this tutorial with your own.

Create the DNS records for your hostname(s), so they point to your server. These should be A (and eventually AAAA) records. Then, in the ISPConfig interface, go to the Sites tab.

Issuing the certificate

Under Sites, click "Add new website". Set mail.example.com as domain. Disable Auto-Subdomain, and check the Let's Encrypt checkbox.

After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking "Add new aliasdomain". Select smtp.example.com as domain, and mail.example.com as parent website. Disable Auto-Subdomain and save the new record. Repeat this for eventual your other hostnames.

Verify that the certificate is in place. You can do this with a tool like https://www.sslshopper.com/ssl-checker.html

It should look something like this:

If the hostname(s) are listed and there are no other errors, you can proceed. Otherwise, check the errors and resolve them before going further.

Replacing the certificate with the Let's Encrypt certificate

Now we can replace the current certificate with your trusted certificate. Log in to your server and run these commands:

(replace mail.example.com with the hostname you used for the website)

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /root/.acme.sh/mail.example.com/fullchain.cer smtpd.cert
ln -s /root/.acme.sh/mail.example.com/mail.example.com.key smtpd.key
systemctl restart postfix
systemctl restart dovecot

The certificate should now be used for your Postfix and Dovecot server. But we are not done yet! The Let's Encrypt certificate renews every 60 days, so we should automate the process of replacing the certificate in the future, so you can't forget about it.

Set up an automatic renewal script

Open a new script file:

nano /etc/init.d/le_mailserver_restart.sh

Paste this in that file:

#!/bin/sh
### BEGIN INIT INFO
# Provides: LE MAILSERVER CERT AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE MAILSERVER CERT AUTO UPDATER
# Description: Restart mail server automatically when a new Let's Encrypt certificate is issued.
### END INIT INFO
systemctl restart postfix
systemctl restart dovecot

Make the script executable:

chmod +x /etc/init.d/le_mailserver_restart.sh

To automatically trigger this script on renewal, we are going to use systemd.

Create and open the new systemd service:

nano /etc/systemd/system/le-mailserver-restart.service

Paste this in that file:

[Unit] 
Description="Run script to restart Postfix and Dovecot after the certificate has been renewed"

[Service]
ExecStart=/etc/init.d/le_mailserver_restart.sh

Save and close this file. Then create and open the new systemd path file:

nano /etc/systemd/system/le-mailserver-restart.path

Paste this in that file and replace mail.example.com with the hostname you used:

[Unit]
Description="Monitor the mailserver certificate files to trigger a e-mail services restart after the certificates has been renewed"

[Path]
PathModified=/root/.acme.sh/mail.example.com/
Unit=le-mailserver-restart.service

[Install]
WantedBy=multi-user.target

Save and close this file. Then start the service and enable it so it runs on startup:Advertisement

systemctl start le-mailserver-restart.path

And enable it so it runs on startup:

systemctl enable le-mailserver-restart.path

And we're done!

Not working?

I once had a problem with this, because Let's Encrypt used one of the alias domains as main domain. You can find the main domain in the earlier mentioned SSL tool as "Common name" or by listing the content of /root/acme.sh/ to see which of the (alias)domains has a folder there.

If you still experience a problem, open a thread on the forum so others can help you out.