How to Install Free SSL Certificates on Zimbra Mail Server Ubuntu

Zimbra Mail Server is a robust email platform that combines several functionalities, including email, contacts, calendar, and tasks, into a single web interface. Popular among businesses and educational institutions, Zimbra provides a powerful solution for managing email communications. However, ensuring the security of these communications is critical, and that's where SSL (Secure Sockets Layer) certificates come into play.

Importance of SSL Certificates for Email Servers

SSL certificates encrypt the communication between the server and clients, preventing unauthorized access and data breaches. For email servers like Zimbra, SSL is essential as it ensures that sensitive information, such as email content and user credentials, is securely transmitted.

Benefits of Installing SSL on Zimbra

Installing SSL on your Zimbra Mail Server enhances security, boosts user trust, and may even improve email deliverability by reducing the likelihood of messages being flagged as spam. Additionally, SSL is increasingly becoming a requirement for compliance with various data protection regulations.

1. Install Certbot

apt install certbot

2. Request SSL ke Let’s Encrypt

certbot certonly --standalone

3. Enter your email address

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@vkttech.xyz

4. Type A, enter. To Agree Terms of Service

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

5. Type N, enter

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

6. Enter Zimbra Hostname

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): mail.vkttech.xyz

7. If the SSL request is successful, the result will be like this

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.vkttech.xyz/privkey.pem
   Your cert will expire on 2024-12-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

8. Copy privatekey SSL ke folder SSL zimbra

cp /etc/letsencrypt/live/mail.vkttech.xyz/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

9. Change permission to zimbra user in commercial.key file

chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

10. CA Let’s Encrypt, fullchain.pem

wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
cat /tmp/R3.pem >> /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem

11. Change permission to zimbra user on the folder

chown -R zimbra:zimbra /etc/letsencrypt

12. Verify SSL Let’s Encrypt

su - zimbra
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem

If everything is valid, it will appear as follows, and you can continue to deploy SSL.

** Verifying '/etc/letsencrypt/live/mail.vkttech.xyz/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/mail.vkttech.xyz/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/mail.vkttech.xyz/cert.pem' against '/etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem'
Valid certificate chain: /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem: OK

13. Deploy SSL Let’s Encrypt

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem

14. Restart Zimbra

zmcontrol restart

To set up automatic SSL renewal, follow these steps:

1. Open the crontab editor:

 crontab -e

2. Add the following line to the crontab:

0 0 1 * * /usr/bin/certbot renew --post-hook "/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.vkttech.xyz/cert.pem /etc/letsencrypt/live/mail.vkttech.xyz/fullchain.pem && /opt/zimbra/bin/zmcontrol restart"

3. Save and exit the crontab editor.

Now, your Zimbra SSL certificate will be automatically renewed every month, and the changes will be deployed without any manual intervention.