Using LetsEncrypt with SurgeMail

This pages shows how to use letsencrypt with SurgeMail to create SSL certificates.

Stop Apache if its running, and uninstall it (unless you want to use it)

    /etc/initld/apache2 stop
(the above just stops it, lookup your system on google to see how to uninstall properly)

Install Surgemail

    Download from

Install letsencrypt certbot if it isn't on your system:

Linux will tell you how to install it, just give it your version of linux...

	For ubunto it told me to do this:
    chmod a+x certbot-auto


    Download from:

    Uncompress into a folder, c:\letsencrypt

Configure SurgeMail to use port 80 and 443, and check remote access.

    Modifying /etc/surgemail.ini and adjust g_webmail_port "80"  and g_webmail_secure_port "443" and restart surgemail.

    tellmail exit

Use letsencrypt/certbot to create your certificates:   

Set g_ssl_per_dom "true" if you want certificates for each domain.

Generate the commands from surgemail (7.2d9 and later)
    tellmail letsencrypt

This creates a script lets.cmd which you will run from the folder you downloaded letsencrypt to...


cd \letsencrypt


cd (path to certbot)
source \surgemail\lets.cmd

Manually (prior to 7.2d9 on linux)

I'm using the -auto variant as certbot isn't installed, the command line switches are identical... replace YOUR.DOMAIN.NAME with the 'a' record for your server not the domain name (so not

    ./certbot-auto certonly --webroot -w /usr/local/surgemail/www -d MAIL.YOUR.DOMAIN.NAME

Initially this failed for me as the dns name I had just created took a while to propagate to the letsencrypt systems, if it fails for you it should tell you something useful about why, so read the error you get carefully.

Copy the certificates to surgemail and restart it.

Define g_letsencrypt in surgemail.ini, replace USERNAME with the username you are using!!!


You can find the correct path from the letsencrypt output:

C:\lets>letsencrypt --manualhost MAIL.DOMAIN.COM --webroot \surgemail\www
Let's Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server:
Config Folder: C:\Users\YOURUSERNAME\AppData\Roaming\letsencrypt-win-simple\

g_letsencrypt "\Users\USERNAME\AppData\Roaming\letsencrypt-win-simple\"


g_letsencrypt "/etc/letsencrypt/live/"


Use tellmail to copy the files into surgemail and reload ssl
    tellmail letsencrypt_copy

Manually (prior to 7.2d9 on linux)

    cp /etc/letsencrypt/live/ /usr/local/surgemail/ssl/surge_cert.pem
    cp /etc/letsencrypt/live/ /usr/local/surgemail/ssl/surge_priv.pem
    tellmail exit

Test the new certificate.

Setup cron job to renew certificate (linux only).

You may need a cron job to run certbot and copy the certificates. Refer to LetsEncrypt documentation for up to date information on the best practice for this, my belief is a monthly cron job something like this would be reasonable.

	Crontab entry:   0 0 1 * * /root/

Where /root/ contains:

./certbot-auto certonly --webroot -w /usr/local/surgemail/www -d MAIL.YOUR.DOMAIN.NAME
# Next lines not required after 7.2d9 as surgemail will scan and copy the files daily...
cp /etc/letsencrypt/live/ /usr/local/surgemail/ssl/surge_cert.pem
    cp /etc/letsencrypt/live/ /usr/local/surgemail/ssl/surge_priv.pem
    tellmail ssl_reload