Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate (certbot)

This tutorial is for servers that have certbot installed. If you are using acme.sh, you have to use this tutorial: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/

If you are unsure, check if you have the folder /etc/letsencrypt on your system. If so, this guide is for you. Otherwise, you are most likely using amce.sh.

If you're running your own mailserver, it's best practice to connect to it securely with a SSL/TLS connection. You'll need a valid certificate for these secure connections. In this tutorial, we'll set up a Let's Encrypt certificate for our mailserver that renews automatically.

Warning: This tutorial is based on this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ but modified so you have a separate certificate for your mailserver and control panel. If you have followed that tutorial before, this tutorial might break your setup.

Note for ISPConfig 3.2: ISPConfig 3.2 is able to create a valid Let's Encrypt SSL certificate for the server hostname automatically during installation, which is used for the mail server as well. There is no need to manually create a Let's Encrypt SSL certificate as described here on ISPConfig 3.2 systems unless you need different domain names in the SSL certificate beside the server hostname.

Prerequisites

Your server should be installed according to the Perfect Server tutorial for your OS.

Getting started
I will be using the following hostnames for my mailserver: mail.example.com, smtp.example.com, imap.example.com.
Replace all red underlined hostnames in this tutorial with your own.

Create the DNS records for your hostname(s), so they point to your server. These should be A (and eventually AAAA) records. Then, in the ISPConfig interface, go to the Sites tab.

Issuing the certificate
Under Sites, click "Add new website". Set mail.example.com as domain. Disable Auto-Subdomain, and check the Let's Encrypt checkbox.

After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking "Add new aliasdomain". Select smtp.example.com as domain, and mail.example.com as parent website. Disable Auto-Subdomain and save the new record. Repeat this for eventual your other hostnames.
Verify that the certificate is in place. You can do this with a tool like https://www.sslshopper.com/ssl-checker.html
It should look something like this:
Screenshot of SSL check
If the hostname(s) are listed and there are no other errors, you can proceed. Otherwise, check the errors and resolve them before going further.

Replacing the certificate with the Let's Encrypt certificate
Now we can replace the current certificate with your trusted certificate. Log in to your server and run these commands:
(replace mail.example.com with the hostname you used for the website)

Code:

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/mail.example.com/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/mail.example.com/privkey.pem smtpd.key
systemctl restart postfix
systemctl restart dovecot

The certificate should now be used for your Postfix and Dovecot server. But we are not done yet! The Let's Encrypt certificate renews every 60 days, so we should automate the process of replacing the certificate in the future, so you can't forget about it.

Set up a automatic renewal script
Open a new script file:

Code:

nano /etc/init.d/le_mailserver_restart.sh

Paste this in that file (replace mail.example.com with the hostname you used):

Code:

#!/bin/sh
### BEGIN INIT INFO
# Provides: LE MAILSERVER CERT AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE MAILSERVER CERT AUTO UPDATER
# Description: Restart mail server automatically when a new Let's Encrypt certificate is issued.
### END INIT INFO
systemctl restart postfix
systemctl restart dovecot

Make the script executable:

Code:

chmod +x /etc/init.d/le_mailserver_restart.sh

We will use systemd to monitor the certificate directory.
Create and open the new systemd service:

Code:

nano /etc/systemd/system/le-mailserver-restart.service

Paste this in that file:

Code:

[Unit]
Description="Run script to restart Postfix and Dovecot after the certificate has been renewed"

[Service]
ExecStart=/etc/init.d/le_mailserver_restart.sh

Save and close this file. Then create and open the new systemd path file:

Code:

nano /etc/systemd/system/le-mailserver-restart.path

Paste this in that file and replace mail.example.com with the hostname you used:

Code:

[Unit]
Description="Monitor the mailserver certificate files to trigger a e-mail services restart after the certificates has been renewed"

[Path]
PathModified=/etc/letsencrypt/archive/mail.example.com/
Unit=le-mailserver-restart.service

[Install]
WantedBy=multi-user.target

Save and close this file. Then start the service and enable it so it runs on startup:

Code:

systemctl start le-mailserver-restart.path

And enable it so it runs on startup:

Code:

systemctl enable le-mailserver-restart.path

And we're done!

Not working?
I once had a problem with this, because Let's Encrypt used one of the alias domains as main domain. You can find the main domain in the earlier mentioned SSL tool as "Common name" or by listing the content of /etc/letsencrypt/live to see which of the (alias)domains has a folder there.

If you still experience a problem, open a thread on the forum so others can help you out.

 

Guide has been updated to use systemd instead of incron, as incron is deprecated in Debian 11.