Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate (certbot)

Discussion in 'Tips/Tricks/Mods' started by Th0m, Feb 12, 2021.

Thread Status:
Not open for further replies.
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This tutorial is for servers that have certbot installed. If you are using acme.sh, you have to use this tutorial: to be released

    If you are unsure, check if you have the folder /etc/letsencrypt on your system. If so, this guide is for you. Otherwise, you are most likely using amce.sh.


    If you're running your own mailserver, it's best practice to connect to it securely with a SSL/TLS connection. You'll need a valid certificate for these secure connections. In this tutorial, we'll set up a Let's Encrypt certificate for our mailserver that renews automatically.

    Warning: This tutorial is based on this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ but modified so you have a separate certificate for your mailserver and control panel. If you have followed that tutorial before, this tutorial might break your setup.

    Note for ISPConfig 3.2: ISPConfig 3.2 is able to create a valid Let's Encrypt SSL certificate for the server hostname automatically during installation, which is used for the mail server as well. There is no need to manually create a Let's Encrypt SSL certificate as described here on ISPConfig 3.2 systems unless you need different domain names in the SSL certificate beside the server hostname.

    Prerequisites

    Your server should be installed according to the Perfect Server tutorial for your OS.

    Getting started
    I will be using the following hostnames for my mailserver: mail.example.com, smtp.example.com, imap.example.com.
    Replace all red underlined hostnames in this tutorial with your own.

    Create the DNS records for your hostname(s), so they point to your server. These should be A (and eventually AAAA) records. Then, in the ISPConfig interface, go to the Sites tab.

    Issuing the certificate
    Under Sites, click "Add new website". Set mail.example.com as domain. Disable Auto-Subdomain, and check the Let's Encrypt checkbox.

    After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking "Add new aliasdomain". Select smtp.example.com as domain, and mail.example.com as parent website. Disable Auto-Subdomain and save the new record. Repeat this for eventual your other hostnames.
    Verify that the certificate is in place. You can do this with a tool like https://www.sslshopper.com/ssl-checker.html
    It should look something like this:
    Screenshot of SSL check
    If the hostname(s) are listed and there are no other errors, you can proceed. Otherwise, check the errors and resolve them before going further.

    Replacing the certificate with the Let's Encrypt certificate
    Now we can replace the current certificate with your trusted certificate. Log in to your server and run these commands:
    (replace mail.example.com with the hostname you used for the website)
    Code:
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/mail.example.com/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/mail.example.com/privkey.pem smtpd.key
    systemctl restart postfix
    systemctl restart dovecot
    The certificate should now be used for your Postfix and Dovecot server. But we are not done yet! The Let's Encrypt certificate renews every 60 days, so we should automate the process of replacing the certificate in the future, so you can't forget about it.

    Set up a automatic renewal script
    Open a new script file:
    Code:
    nano /etc/init.d/le_mailserver_restart.sh
    Paste this in that file (replace mail.example.com with the hostname you used):
    Code:
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides: LE MAILSERVER CERT AUTO UPDATER
    # Required-Start: $local_fs $network
    # Required-Stop: $local_fs
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: LE MAILSERVER CERT AUTO UPDATER
    # Description: Restart mail server automatically when a new Let's Encrypt certificate is issued.
    ### END INIT INFO
    systemctl restart postfix
    systemctl restart dovecot
    To automatically trigger this script on renewal, we are going to install and set up incron.
    Code:
    apt install incron
    Make the script executable and allow root to use incron:
    Code:
    chmod +x /etc/init.d/le_mailserver_restart.sh
    echo "root" >> /etc/incron.allow
    Now open the incrontab editor:
    Code:
    incrontab -e
    Add this (again, replace mail.example.com with the hostname you used) to the file:
    Code:
    /etc/letsencrypt/archive/mail.example.com/ IN_MODIFY /etc/init.d/le_mailserver_restart.sh
    A big thanks to forum user Ahrasis for the original code and tutorial.

    Not working?
    I once had a problem with this, because Let's Encrypt used one of the alias domains as main domain. You can find the main domain in the earlier mentioned SSL tool as "Common name" or by listing the content of /etc/letsencrypt/live to see which of the (alias)domains has a folder there.

    If you still experience a problem, open a thread on the forum so others can help you out.
     
    till and ahrasis like this.
Thread Status:
Not open for further replies.

Share This Page