Using Let's Encrypt Certificates - Revision history

Bmeyn: /* About Let's Encrypt */

2022-03-22T15:47:47Z

About Let's Encrypt

Bmeyn: /* Obtaining the Certificate */

2022-03-22T15:47:14Z

Obtaining the Certificate

Bmeyn: /* Scenario 2: MailStore Gateway on External Network */

2022-03-22T15:46:18Z

Scenario 2: MailStore Gateway on External Network

Rrommelrath at 08:36, 28 February 2022

2022-02-28T08:36:11Z

Rrommelrath: Created page with "== About Let's Encrypt == Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Many large, well known s..."

2022-02-28T08:31:08Z

Created page with "== About Let's Encrypt == Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Many large, well known s..."

New page

== About Let's Encrypt ==
Let's Encrypt is a free, automated, and open certificate authority, trusted by all major web browsers and operating systems. Many large, well known sponsors from the IT industry support Let's Encrypt's effort to help making the internet a safer place.

A fully automated certificate approval process eliminates email or phone verification of traditional certificate authorities that often take days.

Let's Encrypt certificates are only valid for 90 days and thus need to be renewed regularly. The MailStore Server service handles the automatic renewals once the initial configuration is done.

== Prerequisites ==
For the MailStore Gateway computer, a public DNS record (A or CNAME) must exist and point to a public IP address.
The MailStore Gateway computer must be accessible from the Internet on TCP port 80 (HTTP) for Let's Encrypt's automatic domain approval process. A port forwarding on your firewall or gateway might be necessary. Since Let's Encrypt validates from different IP addresses, such a firewall rule cannot be limited to certain source IP addresses.

== Scenario 1: MailStore Gateway on Local Area Network (LAN) ==
The most common scenario for a MailStore Gateway installation is on a local network inside the organization's premises. Typically, the MailStore Gateway computer has a private IP address (e.g. 192.168.0.10) and the Internet connection is established through a router which masks all internal IP addresses with its own external IP address assigned by the ISP. This is known as Network Address Translation (NAT).

For this scenario, we assume that MailStore Gateway is running on a new, dedicated computer.

# Ask your Internet access provider to assign a static, public IP address to the router.
# Assign an available static IP Address from your local network to the MailStore Gateway computer.
# Create a port forwarding rule on the router, that forwards all connections to TCP port 80 on the public IP address, which was assigned in step 1, to the internal IP address of your MailStore Gateway computer assigned in step 2. <br/> '''Note:''' In the MailStore Gateway Configuration, you can change the Let's Encrypt HTTP-01 Challenge Port on which the MailStore Gateway service listens on the internal IP address assigned in step 2. However, on the public IP address assigned to the router in step 1, TCP port 80 must be used because Let's Encrypt's certificate approval process only supports this HTTP standard TCP port. If you change Let's Encrypt HTTP-01 Challenge Port, you must update the port forwarding rule created in step 3 accordingly.
# Add an A or CNAME record to the DNS zone of your public domain, e.g. mailstore.example.com pointing to the public IP address that was assigned in step 1.
# Depending on how DNS resolution is handled in your local network, you need to add a corresponding DNS record on your internal DNS server or router as well. This record should point to the internal IP address of the MailStore Gateway computer.

== Scenario 2: MailStore Gateway on External Network ==
If the MailStore Gateway computer is already on a network that used public IP address, e.g. in a data center, or a DMZ it is much easier to fulfill the prerequisites.

For this scenario, we assume that MailStore Gateway is running on a new, dedicated computer.

# Assign an available public IP Address from your public network to the MailStore Gateway computer.
# If there is a firewall in place, create a firewall rule, that allows all connections to TCP port 80 on the public IP address to pass through. <br/> '''Note:''' In the MailStore Gateway Configuration, you can change the Let's Encrypt HTTP-01 Challenge Port on which the MailStore Gateway service listens on the public IP address assigned in step 1. However, in the scenario described here, TCP port 80 must be used because Let's Encrypt's certificate approval process only supports this HTTP standard TCP port.
# Add an A or CNAME record to the DNS zone of your public domain, e.g. mailstore.example.com pointing to the public IP address that was assigned in step 1.

== Obtaining the Certificate ==
The MailStore Gateway tests the settings against Let's Encrypt's staging environment. If an issue occurs, the Gateway will show a warning. Please review the log output, resolve the issue and try again.
If the test was successful, the MailStore Gateway will automatically request a certificate from Let's Encrypt's production system and confirm that setup was successful.
The automatic renewal of Let's Encrypt certificates every 60 days is active as long as no other certificate is selected manually.

← Older revision		Revision as of 08:36, 28 February 2022
Line 34:		Line 34:
	If the test was successful, the MailStore Gateway will automatically request a certificate from Let's Encrypt's production system and confirm that setup was successful.		If the test was successful, the MailStore Gateway will automatically request a certificate from Let's Encrypt's production system and confirm that setup was successful.
	The automatic renewal of Let's Encrypt certificates every 60 days is active as long as no other certificate is selected manually.		The automatic renewal of Let's Encrypt certificates every 60 days is active as long as no other certificate is selected manually.
		+
		+	[[de:Verwendung von Let's Encrypt Zertifikaten]]
		+	[[en:Using Let's Encrypt Certificates]]

@@ Line 4: / Line 4: @@
 A fully automated certificate approval process eliminates email or phone verification of traditional certificate authorities that often take days.
-Let's Encrypt certificates are only valid for 90 days and thus need to be renewed regularly. The MailStore Server service handles the automatic renewals once the initial configuration is done.
+Let's Encrypt certificates are only valid for 90 days and thus need to be renewed regularly. The MailStore Gateway service handles the automatic renewals once the initial configuration is done.
 == Prerequisites ==

@@ Line 31: / Line 31: @@
 == Obtaining the Certificate ==
-The MailStore Gateway tests the settings against Let's Encrypt's staging environment. If an issue occurs, the Gateway will show a warning. Please review the log output, resolve the issue and try again.
+The MailStore Gateway tests the settings against Let's Encrypt's staging environment. If an issue occurs, MailStore Gateway will show a warning. Please review the log output, resolve the issue and try again.
 If the test was successful, the MailStore Gateway will automatically request a certificate from Let's Encrypt's production system and confirm that setup was successful.
 The automatic renewal of Let's Encrypt certificates every 60 days is active as long as no other certificate is selected manually.

@@ Line 22: / Line 22: @@
 == Scenario 2: MailStore Gateway on External Network ==
-If the MailStore Gateway computer is already on a network that used public IP address, e.g. in a data center, or a DMZ it is much easier to fulfill the prerequisites.
+If the MailStore Gateway computer is already on a network that uses public IP addresses, e.g. in a data center or a DMZ, it is much easier to fulfill the prerequisites.
 For this scenario, we assume that MailStore Gateway is running on a new, dedicated computer.
 # Assign an available public IP Address from your public network to the MailStore Gateway computer.
-# If there is a firewall in place, create a firewall rule, that allows all connections to TCP port 80 on the public IP address to pass through. <br/> '''Note:''' In the MailStore Gateway Configuration, you can change the Let's Encrypt HTTP-01 Challenge Port on which the MailStore Gateway service listens on the public IP address assigned in step 1. However, in the scenario described here, TCP port 80 must be used because Let's Encrypt's certificate approval process only supports this HTTP standard TCP port.
+# If there is a firewall in place, create a firewall rule which allows all connections to TCP port 80 on the public IP address to pass through. <br/> '''Note:''' In the MailStore Gateway Configuration, you can change the Let's Encrypt HTTP-01 Challenge Port on which the MailStore Gateway service listens on the public IP address assigned in step 1. However, in the scenario described here, TCP port 80 must be used because Let's Encrypt's certificate approval process only supports this HTTP standard TCP port.
 # Add an A or CNAME record to the DNS zone of your public domain, e.g. mailstore.example.com pointing to the public IP address that was assigned in step 1.