How to Install an ACME SSL Certificate on Mail Servers?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Mail Server SSL Automation

To ensure that email communications remain secure, we must secure email communications to ensure that user credentials are kept secure from being compromised as well as email contents being secure and preventing mail servers from getting blacklisted.

Unlike web servers, which only support HTTP, mail servers support multiple protocols including SMTP, IMAP, and POP3, making it very difficult to configure SSL on them.

The easiest way to automate the process of issuing/renewing SSL certificates is to use an ACME Client to communicate with Commercial Certificate Authorities (CAs) such as DigiCert, Sectigo, etc., using the ACME External Account Binding (EAB) method to obtain SSL certificates from a CA that complies with the ACME method.

The following document will provide instructions for how to install ACME SSL certificates on a mail server using either Postfix (SMTP), Dovecot (IMAP), or Exim (POP3) mail protocols in a production-ready environment.

Requirements

Prior to beginning, please confirm:

  • You have a domain name (example: mail.abc.com) pointing to your mail server.
  • You have an MX record set on your domain.
  • You have root-level access (via SSH) to the mail server.
  • You have installed Postfix or Exim and Dovecot on your mail server.
  • You have ACME user credentials established.
    • ACME directory URL
    • EAB Key ID
    • EAB HMAC Key

Steps for Installing ACME SSL Cert on Your Mail Server

Step 1: Install acme.sh on Your Mail Server

The first step is to install the ACME client using the acme.sh script on your mail server so you can use it locally to complete the creation of your certificate and automate the renewal of your certificate. 

curl https://get.acme.sh | sh 
source ~/.bashrc
acme.sh --version

Before moving on, verify the ACME client’s functionality with the command shown below; if this command fails, verify that you have installed all required tools like curl on your system or re-login to your Mail Server so you can re-load your environmental variables. 

Step 2: Register Your ACME Account (with EAB)

In the second task, you will use your EAB credentials to register your server with the Certificate Authority (CA). By doing this, you have connected the ACME Client to the SSL Provider.

acme.sh --register-account \
 --server https://acme.yourca.com/v2/acme \
 --eab-kid YOUR_EAB_KID \
 --eab-hmac-key YOUR_EAB_HMAC_KEY \
 --accountemail [email protected]

Please note that you should replace any text that appears in the documentation as a ‘placeholder’ with actual values that identify your specific situation. You will only need to do this once and will then be able to use this connection to make requests for SSL Certificates from your CA in the future.

Step 3: Issue the Certificate Using DNS-01 Validation

Most mail servers don’t support HTTP, so they usually use the DNS-01 verification method, which allows you to verify your ownership of the domain using a DNS TXT record.

acme.sh --issue \
 -d mail.example.com \
 --dns dns_manual \
 --server https://acme.yourca.com/v2/acme

When you execute the command below, acme.sh will create a TXT record for you to add to your DNS panel:

Name: _acme-challenge.mail.example.com

Value: <provided-token>

Verify it using:

dig TXT _acme-challenge.mail.example.com +short

Re-run the command after verifying the TXT record you created above*. The certificate will be created and stored here:

~/.acme.sh/mail.example.com/

Step 4: Configure Postfix (SMTP) to Use the Certificate

Now configure Postfix to use the issued certificate for secure SMTP communication.

First, Copy the Certificate Files to a Stable Location:

sudo mkdir -p /etc/ssl/mail
sudo cp ~/.acme.sh/mail.example.com/fullchain.cer /etc/ssl/mail/mail-fullchain.cer
sudo cp ~/.acme.sh/mail.example.com/mail.example.com.key /etc/ssl/mail/mail.key
sudo chmod 600 /etc/ssl/mail/mail.key

Then Configure Postfix:

sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/mail/mail-fullchain.cer'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/mail/mail.key'
sudo postconf -e 'smtp_tls_security_level = may'

Restart Postfix:

sudo systemctl restart postfix

This enables encrypted SMTP connections for sending and receiving mail.

Step 5: Configure Dovecot (IMAP/POP3)

Dovecot handles mailbox access via IMAP and POP3. You need to point it to the same certificate files.

Edit the SSL Configuration:

sudo nano /etc/dovecot/conf.d/10-ssl.conf

Update:

ssl = yes
ssl_cert = </etc/ssl/mail/mail-fullchain.cer
ssl_key  = </etc/ssl/mail/mail.key

Restart Dovecot:

sudo systemctl restart dovecot

Now your IMAP/POP3 services are secured with TLS.

Step 6: Configure Exim (Optional)

If you use Exim instead of Postfix, configure TLS similarly:

tls_certificate = /etc/ssl/mail/mail-fullchain.cer
tls_privatekey  = /etc/ssl/mail/mail.key

Restart Exim:

sudo systemctl restart exim4

Step 7: Test Your Mail Server SSL

After configuration, verify your SSL setup using OpenSSL.

Test SMTP:

openssl s_client -starttls smtp -connect mail.example.com:587 -showcerts

Test IMAP:

openssl s_client -starttls imap -connect mail.example.com:143 -showcerts

The installation of your service is complete once you obtain a certificate from a trusted (reputable) Certificate Authority (CA) concerning the validity of both your domain and the CA.

Step 8: Automate Renewal and Service Reload

To automate the certificate renewal and reload the Email Services when your certificates are renewed, run the following:

Run this command to reload the Email Services after a certificate has been renewed.

The Automatic renewals happen automatically, but after an account certificate has been renewed, you still need to reload the Email Services.

Create a deploy Script:

#!/usr/bin/env bash
DOMAIN="mail.example.com"
SRC="$HOME/.acme.sh/$DOMAIN"
DEST="/etc/ssl/mail"
sudo cp "$SRC/fullchain.cer" "$DEST/mail-fullchain.cer"
sudo cp "$SRC/$DOMAIN.key" "$DEST/mail.key"
sudo chmod 600 "$DEST/mail.key"
sudo systemctl restart postfix dovecot

Then link it with acme.sh:

acme.sh --install-cert -d mail.example.com \
 --key-file       ~/.acme.sh/mail.example.com/mail.example.com.key \
 --fullchain-file ~/.acme.sh/mail.example.com/fullchain.cer \
 --reloadcmd "/path/to/deploy-script.sh"

Automatic updates and application of certificates are ensured.

Conclusion

To properly deploy and convert an SSL certificate, you must be using a reputable certificate authority (CA) that has been established and trusted for many years.

CheapSSLweb offers a complete enterprise-class package of inexpensive ACME SSL Certificates from top-tier commercial partners such as DigiCert and Sectigo, and provides complete technical support for all ACME or EAB environments with an end-to-end suite of SSL Certificate Services.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.