Zimbra Mail Server is a robust email platform that combines several functionalities, including email, contacts, calendar, and tasks, into a single web interface. Popular among businesses and educational institutions, Zimbra provides a powerful solution for managing email communications. However, ensuring the security of these communications is critical, and that's where SSL (Secure Sockets Layer) certificates come into play.
Importance of SSL Certificates for Email Servers
SSL certificates encrypt the communication between the server and clients, preventing unauthorized access and data breaches. For email servers like Zimbra, SSL is essential as it ensures that sensitive information, such as email content and user credentials, is securely transmitted.
Benefits of Installing SSL on Zimbra
Installing SSL on your Zimbra Mail Server enhances security, boosts user trust, and may even improve email deliverability by reducing the likelihood of messages being flagged as spam. Additionally, SSL is increasingly becoming a requirement for compliance with various data protection regulations.
1. Install Certbot
apt install certbot2. Request SSL ke Let’s Encrypt
certbot certonly --standalone3. Enter your email address
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]4. Type A, enter. To Agree Terms of Service
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A5. Type N, enter
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N6. Enter Zimbra Hostname
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mail.vkttech.xyz7. If the SSL request is successful, the result will be like this
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.vkttech.xyz/privkey.pem
Your cert will expire on 2024-12-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le8. Copy privatekey SSL ke folder SSL zimbra
cp /etc/letsencrypt/live/mail.vkttech.xyz/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key9. Change permission to zimbra user in commercial.key file
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key10. CA Let’s Encrypt, fullchain.pem
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
cat /tmp/R3.pem >> /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem11. Change permission to zimbra user on the folder
chown -R zimbra:zimbra /etc/letsencrypt12. Verify SSL Let’s Encrypt
su - zimbra
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pemIf everything is valid, it will appear as follows, and you can continue to deploy SSL.
** Verifying '/etc/letsencrypt/live/mail.vkttech.xyz/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail.vkttech.xyz/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail.vkttech.xyz/cert.pem' against '/etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem'
Valid certificate chain: /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem: OK13. Deploy SSL Let’s Encrypt
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem14. Restart Zimbra
zmcontrol restartTo set up automatic SSL renewal, follow these steps:
1. Open the crontab editor:
crontab -e2. Add the following line to the crontab:
0 0 1 * * /usr/bin/certbot renew --post-hook "/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem && /opt/zimbra/bin/zmcontrol restart"3. Save and exit the crontab editor.
Now, your Zimbra SSL certificate will be automatically renewed every month, and the changes will be deployed without any manual intervention.
