Install a GoDaddy signed SSL Certificate on iRedMail (Debian)

This tutorial assumes you are running iRedMail with version 0.7.3 or thereabouts on a Debian(esque) server (say Squeeze). Also, I\'m using Godaddy for SSL as they are the cheapest way to get a \'properly\' signed SSL cert for little money (if you find yourself a suitable promo-code!). Google or DuckDuckGo are your friends.

Summer Special: Hurry, only 100x openVZ 128MB VPS at £1 per month each!

Running an OpenSource project? Get a FREE SSL certificate from GoDaddy!

Step 1: Generate a ssl certificate (key) and certificate request (csr)

Ref: GoDaddy Help - Generating a Certificate Signing Request (CSR) - Apache 2.x

openssl req -new -newkey rsa:2048 -nodes -keyout [yourname].key -out [yourname].csr

Step 2: Filling out your new SSL certificate key details

Ref: GoDaddy Help - Generating a Certificate Signing Request (CSR) - Apache 2.x

Common Name
the domain name you want your SSL certificate to validate for.
WARNING: www.example.com != example.com. Select this carefully! For example, my mail server has the following hostname: mail.brightercomputing.net, so the Common Name (CN) is mail.brightercomputing.net. This means the SSL certificate will only ever work with this and not www.brightercomputing.net.
Organisation
what ever you want; I use my business name Brighter Computing Ltd
Organisation Unit
doesn\'t really matter; I use simply IT
Email
I use my support email address help@brightercomputing.com to capture any enquiries
City / Locality
pick a place; I use London
pick what is closest or where your server is; I use London again
Country
make sure to pick the right country code! I use GB since I\'m in the UK. UK is not a valid code!
Passphrase
WARNING: make sure to leave the passphrase field empty, as you will otherwise have to log-on to your server and hack in your passphrase three times over when restarting services or your server!

Step 3: Submit csr and await signed key

When using GoDaddy you should log-on to your account and head over to the SSL Certificate section and its manager page.

The way GoDaddy work is that you first purchase your SSL certificate and get issued with a credit. You need to log-on and use that credit to get an SSL certificate. Before you can submit your CSR you need to wait a short while for GoDaddy\'s scripts to sort themselves out.

Once you have redeemed your credit it will simply say \'New Certificate\' in the list. Click on the entry next to it that reads \'Manage Certificate\' once it is ready (it may say "Status: Initialize SSL Certificate" for a good while, so grab a snickers(tm) and make yourself a brew).

WARNING: you need to make sure you receive emails for what ever email you registered yourdomain.com under! Check the WHOIS entry for it before you submit to GoDaddy as they will send you an email to confirm you are the owner of the domain. You will need to click on the confirmation link they send you before proceeding.

Step 4: Copy the received files to your server

gd_bundle.crt
[yourname].crt (the actual certificate)

Step 5: Moving files into place

Copy both gd_bundle.crt and [yourname].crt to

/etc/ssl/certs/

Copy the [yourname].key you created earlier to

/etc/ssl/private/

Step 6: Edit the following files

Find and replace:

a) Apache (Webserver)

/etc/apache2/sites-available/default-ssl
SSLCertificateFile /etc/ssl/certs/[yourname].crt
SSLCertificateKeyFile /etc/ssl/private/[yourname].key
SSLCACertificateFile /etc/ssl/certs/gd_bundle.crt

b) Dovecot (IMAP/POP Server)

/etc/dovecot/dovecot.conf
ssl_key_file = /etc/ssl/private/[yourname].key
ssl_cert_file = /etc/ssl/certs/[yourname].crt
ssl_ca_file = /etc/ssl/certs/gd_bundle.crt

c) Postfix (SMTP Server)

/etc/postfix/main.cf
smtpd_tls_key_file = /etc/ssl/private/[yourname].key
smtpd_tls_cert_file = /etc/ssl/certs/[yourname].crt
smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt

Step 7: Restart all three services

service apache2 restart
service dovecot restart
service postfix restart

Step 8: Testing things work

Load your webmail client via https (after you have cleared your cache and history) and notice that there are no errors anymore!

Access your email via IMAP/POP client (eg. Thunderbird) and send a test mail to somewhere. Make sure you select something like STARTTLS for encryption to actually see whether it\'s working.

When sending and receiving you should now no longer receive any more warnings.

Unless of course you made a mistake somewhere ;-)

Have a nice day.

Epilogue

I\'m running my iRedMail server on my Promox VM host in an OpenVZ container (virtual machine) with 30GB space and 2GB RAM. It\'s plenty for my purposes. Make sure to have enough disk space available when running lot\'s of mailboxes and use quotas.

Also, be prepared to increase the memory (RAM) especially as Apache2 can be a memory hog. Processing large volumes of mail also requires a fair bit of memory and speedy disks. Last but not least do yourself a favour and use a backup MX (mail server) in case your box goes down!

Oh and don\'t forget to set a reverse DNS entry for your hostname too.

Offer: Get a ready-made iRedMail Server, with 1 year GoDaddy certificate for just £59.99 (net) a month!

Dedicated server (Intel Core2Duo, 2.33GHZ per core) with 4GB RAM, 750GB (s/RAID 1), 10TB traffic per month (100Mbps port), and 4 IPv4 addresses.

No minimum contract terms. Friendly and dedicated support (email, Skype, IM, IRC). Prices exclude VAT at 20% UK rate.

Call Brighter Computing on +44 1908 90 49 90 or email axel@brightercomputing.com, quoting this article as reference.

About the author

Axel Segebrecht

Image showing Axel Segebrecht With a passion for technology that enables people to communicate more effectively, I have been supporting people by getting their information technology to work for them, the way they need it to.