IRedMail Installation

June 8, 2026

system-administration

First, update hostname to a single-name, not fqdn.

/etc/hostname
mail

Then update hosts for the fqdn and the single-name:

/etc/hosts
127.0.0.1       mail.clihost.com        mail    localhost

Make sure you get the fqdn:

hostname -f

Get iRedMail:

wget https://github.com/iredmail/iRedMail/archive/refs/tags/1.5.1.tar.gz -O iredmail.tar.gz

Then uncompress:

tar zxf iredmail.tar.gz
pushd iredmail

Start the installation script:

bash iRedMail.sh

After completion you'll see output like:

********************************************************************
* URLs of installed web applications:
*
* - Roundcube webmail: https://mail.clihost.com/mail/
* - SOGo groupware: https://mail.clihost.com/SOGo/
* - netdata (monitor): https://mail.clihost.com/netdata/
*
* - Web admin panel (iRedAdmin): https://mail.clihost.com/iredadmin/
*
* You can login to above links with below credential:
*
* - Username: postmaster@clihost.com
* - Password: XXXXXXX
*
********************************************************************

Then reboot to test things. After reboot, get your DKIM key:

amavisd-new showkeys | sed ':a;N;$!ba;s/["\n \r]//g' | sed 's/.*(\(.*\))/\1/' | sed 's/;/; /'
# save this

Now we need a set of records with our DNS provider:

Type Domain Value
A mail IP address
MX @ 10 mail.TLD
CNAME autoconfig mail
TXT @ v=spf1 mx -all
TXT dkim._domainkey see above amavisd-new command
TXT _dmarc v=DMARC1; p=reject; sp=none; adkim=s; aspf=s; rua=mailto:dmarc@TLD; ruf=mailto:dmarc@TLD

Then you can test DKIM with the following:

amavisd-new testkeys
TESTING#1 clihost.com: dkim._domainkey.clihost.com => pass

Next, record a reverse PTR record with your host:

PTR mail.TLD

Now you can register your email server with Google to help with Gmail delivery. See https://postmaster.google.com.

If you don't have a better SSL solution, install certbot:

apt purge snapd
apt install snapd
snap install core

snap install --classic certbot
certbot certonly --webroot -w /var/www/html -d clihost.com -d mail.clihost.com

Now link the letsencrypt certs and keys:

mv /etc/ssl/private/iRedMail.key{,.bak}
mv /etc/ssl/certs/iRedMail.crt{,.bak}
ln -s /etc/letsencrypt/live/clihost.com/privkey.pem /etc/ssl/private/iRedMail.key
ln -s /etc/letsencrypt/live/clihost.com/fullchain.pem /etc/ssl/certs/iRedMail.crt

Now you'll want to run a couple of tests:

You can access services at:

  • Mail admin: https://mail.TLD/iredadmin/
  • Mail login: https://mail.TLD/mail/
  • Groupware: https://mail.TLD/SOGo/

Mount Maildir on Separate Storage

Keeping mail data on a separate volume from the OS makes backups simpler and lets you resize storage independently. If you're on ZFS, create a dedicated dataset:

zfs create -o mountpoint=/var/vmail tank/MAIL

If you already have mail data, stop the mail services first and migrate:

systemctl stop postfix dovecot
rsync -aHAX /var/vmail/ /mnt/newvmail/

Then mount the new storage at /var/vmail. For a ZFS dataset the mountpoint is automatic. For a block device, format and add it to fstab:

mkfs.ext4 -L VMAIL /dev/sdb1
echo 'LABEL=VMAIL /var/vmail ext4 defaults 0 2' >> /etc/fstab
mount /var/vmail

Restore ownership and restart services:

chown -R vmail:vmail /var/vmail
systemctl start postfix dovecot

With Hetzner volumes, attach the volume in the Cloud Console, then partition and mount it using the steps above. ZFS snapshots on a dedicated dataset give you instant, consistent mail backups without touching the root filesystem.

Let's Encrypt Renewal via Hetzner DNS API

The certbot webroot method shown above works but requires port 80 to be open and a running web server. DNS-01 validation is more reliable for a mail server — it works even when HTTP is firewalled, and it supports wildcard certificates.

Install lego, an ACME client with built-in Hetzner DNS support:

apt install lego

Request a certificate using your Hetzner DNS API token:

HETZNER_API_TOKEN="your-dns-api-token" lego \
  --accept-tos \
  --email=postmaster@clihost.com \
  --dns=hetzner \
  --pem \
  --path=/etc/lego \
  --domains=mail.clihost.com \
  --domains=clihost.com \
  run

Generate your API token at Hetzner DNS Console. The token only needs permission to manage DNS records for your zone.

Link the certificates to where iRedMail expects them:

mv /etc/ssl/private/iRedMail.key{,.bak}
mv /etc/ssl/certs/iRedMail.crt{,.bak}
ln -sf /etc/lego/certificates/mail.clihost.com.key /etc/ssl/private/iRedMail.key
ln -sf /etc/lego/certificates/mail.clihost.com.crt /etc/ssl/certs/iRedMail.crt

Create a renewal script at /usr/local/bin/mail-cert-renew.sh:

#!/bin/sh
set -e

export HETZNER_API_TOKEN="your-dns-api-token"

lego \
  --accept-tos \
  --email=postmaster@clihost.com \
  --dns=hetzner \
  --pem \
  --path=/etc/lego \
  --domains=mail.clihost.com \
  --domains=clihost.com \
  renew --days=30

if [ $? -eq 0 ]; then
    systemctl reload postfix 2>/dev/null || true
    systemctl reload dovecot 2>/dev/null || true
    systemctl reload apache2 2>/dev/null || true
fi
chmod 750 /usr/local/bin/mail-cert-renew.sh

Add a daily cron job:

echo '30 3 * * * root /usr/local/bin/mail-cert-renew.sh >> /var/log/mail-cert-renewal.log 2>&1' > /etc/cron.d/mail-cert-renew

The renewal script only requests a new certificate when the current one is within 30 days of expiry, so it's safe to run daily. After a successful renewal, it reloads Postfix, Dovecot, and Apache to pick up the new certificate.