Skip to main content
How to use Letsencrypt Certificate for Qmail
It has been a while since I have written a technical blog. So thought I start with Qmail. I had installed Qmail on Centos 6.6 version. The process may vary little from Centos 7 and other linux flavours. Qmail supports smtp (port 25) and submission service (port 587).Long time back I had setup a Qmail server using Roberto Puzzanghera's blueprint with both these services.
Lot of ISPs from European countries have started blocking port 25 so you will depend on the submission port to send out your mails. Submission port requires certificates. You can use self-sign certificates to get through your testing phase. But when it come to production you will need a third party certificate. Enter Letsencrypt to the rescue. They provide free single domain and multidomain (SAN) certificates for websites. These can be used for email servers as well.
One of the requirements is you need to setup ServerName of email server in apache.
Add hostnames of your mail server to apache config
vi /etc/httpd/conf/httpd.conf
<VirtualHost *:80>
ServerName mail.defaultdomain.com
ServerAlias mail.domainone.com mail.domaintwo.com mail.domainthree.com mail.domainfour.com
Restart apache
service httpd restart
Backup your present certificates
mkdir /usr/local/src/certs
cp /var/qmail/control/*.pem /usr/local/src/certs
Download certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Install your certificate
This script will install bunch of stuff including python.
./certbot-auto --apache certonly --cert-name mail.defaultdomain.com -d mail.defaultdomain.com -d mail.domainone.com -d mail.domaintwo.com -d mail.domainthree.com -d mail.domainfour.com
Combine private key with certificate
Qmail expects the private key and certificate combined together
cat /etc/letsencrypt/live/mail.defaultdomain.com/privkey.pem /etc/letsencrypt/live/mail.defaultdomain.com/fullchain.pem > /var/qmail/control/servercert.pem
qmailctl restart
Test Renewal
The certificates needs to be renewed every 90 days
./certbot-auto renew --dry-run
If this works try renewing
certbot-auto renew
Create a cronjob to renew certificate every month
sudo vi certrenew.sh
#!/bin/sh
/root/certbot-auto renew
cat /etc/letsencrypt/live/mail.defaultdomain.com/privkey.pem /etc/letsencrypt/live/mail.defaultdomain.com/fullchain.pem > /var/qmail/control/servercert.pem
/usr/local/bin/qmailctl restart
chmod 755 certrenew.sh
crontab -e
#Script to renew qmail certificate at 12:00AM on the 20th of every month
0 0 20 * * /root/certrenew.sh >> /var/log/customcron.log 2>&1
Comments
Post a Comment