Using LetsEncrypt with SurgeMail

This pages shows how to use letsencrypt with SurgeMail to create SSL certificates.

SurgeMail Version 7.3j2 or later

With this version of surgemail ssl certificates are created and signed completely automatically for all domains, with one setting, no certbot or other external programs are required!
  • set g_ssl_auto "true"
  • Set g_webmail_port "80,7080"
  • Set g_ssl_per_domain "true" (recommended but not required!)
  • Issue the command: tellmail ssl_update (this need only be done once, the process of updates is then automatic)
  • (Examine response carefully)
  • tellmail ssl_reload (to ensure new certificates are being used)
  • Check/test website remotely...


  • Be sure your server is accessable on port 80 and make sure outgoing connections on port 443 work
  • Remove old g_letsencrypt setting.
  • Each domain or url_host setting for each domain MUST point at your server, if not, then the url_host should be changed to some DNS entry that does point at your server.  This is the server name your users will set in their email clients, typically

Other situations...

If you have a web server on port 80, (other than surgemail), then you can tell surgemail the path it needs to use

g_ssl_lets_path "/home/httpd/html/.well-known"

This folder must exist and be writable by the user 'mail', e.g.

mkdir /home/httpd/html/.well-known/acme-challenge
root@mail1:/usr/local/surgemail# chown mail /home/httpd/html/.well-known/acme-challenge
root@mail1:/usr/local/surgemail# chmod 0777 /home/httpd/html/.well-known/acme-challenge

When g_ssl_auto is turned on, the lets/... folder is used instead of ssl/... so that any existing certificates are not over-written.

When g_ssl_per_domain is enabled, a sub folder for each domain is created, with self signed certificates (if they don't exist).

So to disable you need to remove g_ssl_auto, and g_ssl_per_domain (if you didn't use it previously), and restart surgemail.

Testing your new certificate