Let's Encrypt is a certificate authority that provides free certificates for Transport Layer Security (TLS) encryption via an automated process.
This article applies to MDaemon versions 18.0 and above.
Let's Encrypt certificates are valid 90 days from the point the certificate was generated. MDaemon's Let's Encrypt menu will allow administrators to customize the certificate and enable a renewal feature to renew certificates before they expire. MDaemon will also apply the new certificates to MDaemon, Webmail, and Remote Administration automatically.
MDaemon's Let's Encrypt menu is designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. Click here for more information on Let's Encrypt and the services provided.
Let's Encrypt requires port 80 to be available for HTTP requests. Webmail must be enabled and listening to port 80 (HTTP) for the process to successfully complete. Let's Encrypt renewals can not be performed over HTTPS. MDaemon's HTTP to HTTPS redirect can be enabled to obtain and renew certificates.
For enhanced browser security, enable HSTS for Webmail and Remote Administration.
How to enable HTTP Strict Transport Security (HSTS) in MDaemon for Webmail and Remote Administration
Verify Webmail is configured to run on port 80:
- Open the MDaemon configuration session.
- Select Setup
- Select Web & IM Services
- Under Webmail, select Web Server.
-
Run Webmail server using this TCP port must be configured to port 80.
- Click Apply
- Click Restart Webmail if any changes have been made.
- Click Ok to close the menu.
Verify all MDaemon host names to be added to the certificate can access Webmail over port 80.
For example, if mail.company.test is your primary host name, open a web browser and navigate to http://mail.company.test. If you do not see the Webmail login screen, port 80 could be blocked on your firewall, another application could be using the port, or the configuration above has not been performed.
If you have multiple host names for multiple domains and/or alternative host names you wish to add to the certificate request, these host names must resolve to the Webmail login screen as well. Additional TXT, A, or CNAME records would need to be generated in your DNS to resolve host names to MDaemon.
For example:
http://mail.company2.test
http://autodiscover.company.test
http://mta-sts.company.test
etc...
Follow the steps below to setup Let's Encrypt on the MDaemon mail server.
- Open the MDaemon configuration session.
- Select Security
- Select Security Settings
- Expand SSL & TLS
- Select Let's Encrypt
- Check Enable updates
- Enter alternate host names on the mail server in the Alternate host names field.
- Alternate host names only. Do not enter the primary domain's host name.
- If a external web-mail server is running, enter the IIS site name in the IIS site name field.
- Enter the desired email address for the admin to receive notifications if/when errors occur during a certificate update.
- Enter the number of Days between updates in the available field.
- Click Apply to save changes.
- Select Run Now to run the generated script displayed at the bottom of the menu.
If successful, MDaemon will restart and the certificate will be enabled and selected for MDaemon, Webmail, and Remote administration.
A letsencrypt.log log file generated in the \MDaemon\Logs (default location) directory when ran. If you are having issues and the log is not clear, please submit this log to our technical support team for review.