Enable SSL (LetsEncrypt)

Add or check these settings. The config checker will do this for you.

g_ssl_per_domain "true"
g_ssl_auto "true"
g_webmail_port "80,7080" 

Then issue the command:

tellmail ssl_update

(or use tellmail ssl_update_test to check your settings first, too many failures will cause a lockout for a day)

That’s it.

NOTE: It’s essential that you are running SurgeMail on port 80 and NOT some other web server! (or use the notes below about IIS/APACHE)


But also check your other ssl settings are enabled:

g_ssl_allow "*" 
g_ssl_try_out "*" 
g_ssl_perfect "true"  

Requirements for Lets Encrypt.

  • SurgeMail version 7.3j2 or later
  • Your server must be accessable on port 80 directly to surgemail (not apache or IIS)
  • Each domains url_host setting must point at your server. e.g. url_host “mail.fred.com”
  • Ensure each domains ‘url_host’ setting is the name you want to use to refer to that domains server, typically mail.domain.name, e.g. for ‘fred.com’ you would usually use ‘mail.fred.com’, this dns entry must exist!
  • Add aliases you want to also work in each domain with the ssl_alias setting, e.g. ssl_alias “webmail.fred.com”

Forcing SSL connections

If you wish to force the use of SSL use the following settings:

# Block imap/pop/smtp logins without SSL enabled for all ip addresses.
g_ssl_require_login "*"
# Redirect users to the https url automatically.
g_url_redirect from=”http://*/surgeweb” to=”https://%1/surgeweb” ports=”80″
g_url_redirect from=”http://*/user.cgi” to=”https://%1/user.cgi” ports=”80″

Exclude some domains

Use this setting:

g_ssl_lets_exclude “xyz.com”

To exclude one or more domains, then copy their certificates into the ssl folders.

copy surgemail\ssl\xyz.com\*.pem surgemail\lets\xyz.com

Windows IIS on the same system.

If you have IIS or Apache running on the same mail server, and it’s assigned port 80 then you need to define this setting so surgemail knows where to put the challenge file:

Remove port 80 from g_webmail_port, restart surgemail and IIS.

Set in surgemail: g_ssl_lets_path “c:\surgemail\wellknown”

And in IIS create a virtual path “.well-known” and map it to c:\surgemail\wellknown

Then on IIS add a file extension of type “.” with mime type text/xml

  1. Open IIS Manager and right click on the website, select “Add Virtual Directory…
  2. For the Alias Entry field, enter .well-known and for the Physical Path field enter the location of the new well-known folder you created.
  3. Press OK to save the input and make the file accessible on the website.
  4. Test it by placing a file in c:\surgemail\wellknown\test and check you can view it via http://your.web.server/well-known/test Now test tellmail ssl_update and it should work

Linux/Apache on same system

If you are running apache on port 80 then you can do this, correct the path to be whatever you have used for apache’s web path…

(In surgemail.ini add)

 G_SSL_LETS_PATH “/var/www/html/.well-known”

(Then)

  mkdir /var/www/html/.well-known/acme-challenge
   chown mail /var/www/html/.well-known/acme-challenge

Using reverse proxy insetad with apache (alternative)

If you have Surgemail on port 7080 (g_webmail_port = “7080”) and then put the following in default virtual server configuration (using the actual server and domain name):
ProxyPass /.well-known http://servername.mydomain.com:7080/.well-known
ProxyPassReverse /.well-known http://servername.mydomain.com:7080/.well-known

Then “tellmail ssl_update” should work just as if surgemail was on port 80…

Manual SSL certificates

Alternatively you may wish to configure ssl certificates Manually if so click here.

Was this article helpful?

Related Articles