Modoboa is a nice all-in-one email package. Sadly it lacks configuration possibilities for certificates and the default config uses just self signed certificates. This tutorial explains how to create and configure lets encrypt for your mail server.

For this tutorial I will use mail.justrocketscience.com as sample hostname (You have to replace it with your own). Furthermore I used Scaleway as hoster and I can recommend it. The small instance was fast enough (1,3ghz and 4 ARMv7 cores) and has enough space for a lot of mails (50GB storage).

Before you start you can test your current (maybe self-signed) certificate:

openssl s_client -connect mail.justrocketscience.com:25 -starttls smtp

modoboa uses the following files:

  • /etc/ssl/private/ssl-cert-snakeoil.key
  • /etc/ssl/certs/ssl-cert-snakeoil.pem

They are be overwritten by the following commands, so you should make backups:

cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil.key.old
cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil.pem.old

Debian already provides a letscrypt package and I tried to install it, but I the system had a problem by resolving the dependencies. You can intall it manually or use another client. I decided to use another letscrypt client, called acme-tiny.

To install it call the following commands:

cd /opt
git clone https://github.com/diafygi/acme-tiny.git
cd /opt/acme-tiny

Create Certificate Signing Request

First generate new private keys the first is the domain key used for the server and the second is for authentication with the letsencrypt service:

openssl genrsa 4096 > /etc/ssl/private/ssl-cert-snakeoil.key
openssl genrsa 4096 > /etc/ssl/private/letsencrypt.key

I will create a certificate request for just a single domain:

openssl req -new -sha256 -key /etc/ssl/private/ssl-cert-snakeoil.key -subj "/CN=mail.justrocketscience.com" > /etc/ssl/mail.justrocketscience.csr

The ACME Protocoll which is used by letsencrypt uses a callback to your server to verify that you own it. So you have to modify your webserver and provide a entry point for this callback. First create a folder to host the files:

mkdir -p /var/www/challenges/

Then edit your configuration (in my case /etc/nginx/sites-available/mail.justrocketscience.com.conf) and add the folder to your port 80-server block (exclude modrewrite from this one).

My file looks like this

The new key files will break your self singed certificate so you have to generate a new one before restarting your nginx (this is mandatory for updating your settings):

sudo openssl req -x509 -nodes -days 365 -new -key /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem

After this you can restart nginx:

service nginx restart

Now you can generate the letsencrypt signed certificates like this:

python /opt/acme-tiny/acme_tiny.py --account-key /etc/ssl/private/letsencrypt.key --csr /etc/ssl/mail.justrocketscience.csr --acme-dir /var/www/challenges/ > /etc/ssl/mail.justrocketscience.crt

To use and check the certificate the root certificate is needed. So download it and add it to your certificate from letsencrypt:

cd /etc/ssl/certs
wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

The follwing command will merge the CA-root certificate and the generated one and will replace the self signed one.

cat /etc/ssl/mail.justrocketscience.crt /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem > /etc/ssl/certs/ssl-cert-snakeoil.pem

To test it you can use openssl again or use some web based tools like SSL-Tools website or CheckTLS-website.

Auto resign

A new certificate is only valid for 90 days, but you can resign it. This resign process can be automated and I will update this post as soon as possible.