1

Topic: Letsencrypt on reverse proxy server?

Hi all,

Have a mature functioning iredmail server on ubuntu 20LTS,

I have set up a reverse proxy server on Ubuntu22LTS/NGINX. Other than just being a dedicated proxy, I would like it handle all the Letsencrypt certs for Iredmail server.

Is this possible?

Only port 443/80 will be proxied, mail ports will still be going through router directly

Regards

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Letsencrypt on reverse proxy server?

Let's Encrypt access "http(s)://<server>/.well-known/acme-challenge/..." to verify the domain name, you can handle the "/.well-known/acme-challenge/" requests on proxy server to request cert.

3 (edited by heeter 2024-03-03 11:08:03)

Re: Letsencrypt on reverse proxy server?

ZhangHuangbin wrote:

Let's Encrypt access "http(s)://<server>/.well-known/acme-challenge/..." to verify the domain name, you can handle the "/.well-known/acme-challenge/" requests on proxy server to request cert.

Hi Thank you, If you can elaborate what I need to do from the existing mailserver.

I have been able to get the proxy server working properly, just can't figure out the mail server side.



Regards

4

Re: Letsencrypt on reverse proxy server?

heeter wrote:

I have been able to get the proxy server working properly, just can't figure out the mail server side.

Since all http/https traffic goes to proxy server, there's nothing to do on mail server side except disable https in Nginx and Roundcube webmail (on mail server).
Proxy server talks to mail server in just http, no https.

Internet <=== (via http/https) ==> Proxy Server <=== just http ===> Mail server

5

Re: Letsencrypt on reverse proxy server?

Hi Thank you Zhang

Does removing the certs from the mailserver, It won't affect the ports 587 and 993 and when thunderbird asks for the certs?

6

Re: Letsencrypt on reverse proxy server?

If you need ssl/tls support for smtp/pop3/imap services WITHOUT a frontend proxy server, then you need to use ssl certs in Postfix/Dovecot.