Using LetsEncrypt with SurgeMail


This pages shows how to use letsencrypt with SurgeMail to create SSL certificates.


SurgeMail Version 7.3j2 or later

With this version of surgemail ssl certificates are created and signed completely automatically for all domains, with one setting, no certbot or other external programs are required!
  • set g_ssl_auto "true"
  • Issue the command: tellmail ssl_update (this need only be done once, the process of updates is then automatic)

Requirements:

  • Be sure your server is accessable on port 80 and make sure outgoing connections on port 443 work
  • Set g_webmail_port "80,7080"
  • Set g_ssl_per_domain "true" (recommended but not required!)
  • Remove old g_letsencrypt setting.
  • Each domain or url_host setting for each domain MUST point at your server, if not, then the url_host should be changed to some DNS entry that does point at your server.  This is the server name your users will set in their email clients, typically mail.domain.name

If you have a web server on port 80, (other than surgemail), then you can tell surgemail the path it needs to use:

g_ssl_lets_path "/home/httpd/html/.well-known"

This folder must exist and be writable by the user 'mail', e.g.

mkdir /home/httpd/html/.well-known/acme-challenge
root@mail1:/usr/local/surgemail# chown mail /home/httpd/html/.well-known/acme-challenge
root@mail1:/usr/local/surgemail# chmod 0777 /home/httpd/html/.well-known/acme-challenge


When g_ssl_auto is turned on, the lets/... folder is used instead of ssl/... so that any existing certificates are not over-written.

When g_ssl_per_domain is enabled, a sub folder for each domain is created, with self signed certificates (if they don't exist).

So to disable you need to remove g_ssl_auto, and g_ssl_per_domain (if you didn't use it previously), and restart surgemail.

The rest of the instructions below are for older versions of surgemail.



Windows Instructions (Linux below)

  1. Install SurgeMail 7.3f-40 or later!
  2. Set g_ssl_per_dom "true" if you want certificates for each domain. (optional)
  3. Download and uncompress  https://github.com/PKISharp/win-acme/releases  --> c:\letsencrypt
  4. Modifying /etc/surgemail.ini and adjust g_webmail_port "80"  and g_webmail_secure_port "443" and restart surgemail
  5. tellmail letsencrypt
  6. cd \letsencrypt
  7. \surgemail\lets.cmd
  8. In surgemail.ini set  g_letsencrypt "C:\ProgramData\win-acme\httpsacme-v01.api.letsencrypt.org"
  9. tellmail reload
  10. tellmail letsencrypt_copy


Test the new certificate. Browse to your secure url:


https://mail.your.domain.name



Linux Instructions

  1. Stop Apache if its running, and uninstall it (unless you want it, in which case use apache to generate the certificates and then copy them to surgemail)
  2. Install letsencrypt certbot if it isn't on your system:
  3. Install 'cerbot' instructions are here:  https://certbot.eff.org/
  4. Modifying /etc/surgemail.ini and adjust g_webmail_port "80"  and g_webmail_secure_port "443" and restart surgemail.
  5. Set g_ssl_per_dom "true" if you want certificates for each domain.
  6. tellmail letsencrypt
  7. cd (path to certbot)
  8. source \surgemail\lets.cmd
  9. set g_letsencrypt "/etc/letsencrypt/live/"
  10. tellmail letsencrypt_copy

Test the new certificate. Browse to your secure url:


https://mail.your.domain.name