Let's Encrypt offers is a free and convenient way of generating SSL certificates that are trusted by most browsers and servers. It provides several benefits when compared to a traditional CA:
Certificates from Let's Encrypt are only valid for 90 days. Therefore, they need to be recreated more frequently. This is usually not a problem since Xeams will automatically create them a few days before their expiration.
This page contains step-by-step instructions on how to create these certificates.
Let's Encrypt needs to validate the ownership of the hostname before issuing a certificate. This is called satisfying a challenge. Click here for further details. The following challenge type are supported by Xeams.
In this case, a plain text file is placed in a pre-determined folder on the Xeams HTTP server. Then, Let's Encrypt tries to fetch this file using port 80. The challenge is considered met if the file can be pulled using the hostname you want the certificate for.
Therefore, you must configure Xeams to listen on port 80 for this to work. Additionally, you must configure your network firewall to route traffic for this port to the machine where Xeams is running.
Often, administrators are reluctant to open port 80 on their firewall. It is essential to remember that opening port 80 is no different than opening port 443. Refer to this page for details.
Use this option if port 80 is occupied by any other server running on the same machine. In this case, you must
Root Path for the HTTP server where files are stored. For example, if you're using an IIS
server on the same machine, this value will be something like:
C:\Inetpub\wwwroot. In this case, IIS will serve
the challenge file expected by Let's Encrypt.
Use this option if port 80 is not available. In this case, you will must add a TXT record to your DNS server. Since a certificate from Let's Encrypt is renewed every ninety days, you must repeatedly modify the entry in the DNS server. For this reason, we recommend using the HTTP option over DNS.
Certificates from Let's Encrypt are only valid for 90 days. Therefore, they must be renewed before expiration. Once the initial setup is complete, Xeams will automatically renew them without human intervention, provided you're using the HTTP challenge. It will also send an email to the administrator once it is renewed.
A restart is required to apply the new certificate. By default, Xeams will not restart itself. This is done by design to avoid email interruptions during business hours. Therefore, administrators will have to restart Xeams manually.
You can change the above behavior by adding the following line in server.properties file.
An SSL certificate is specific to a hostname, which is different from your email's domain name. For example, if you have multiple domain names like:
You can point the MX records for both domains to
mail.my-domain.com. In such a case, you will only need one
If you need more than one hostname, separating them with a pipe character will create a certificate with multiple Subject Alternate Names (SAN). For example, using mail.example.com|smtp.my-company.com for the Hostname field will create a certificate for both names.