Home‎ > ‎

Let's Encrypt SSL certificates for hMailserver

Let's Encrypt provides free SSL certificates, which can be used for hMailserver.  However, the certificates are valid only for 90 days, and there is a scripted validation process that can be challenging to set up.  Most scripts that are available are designed for validation using a webserver, and not mailservers.  The following enables SSL full certificate request and installation for hMailserver without a separate webserver, with renewals every 85 days.


  1. hMailserver needs to be installed on Windows 10, with a working WSL (Windows Subsystem for Linux).  If you need help to enable WSL, see the instructions for setting up Windows 10 Bash . In this page, we will be calling Windows 10 Bash, as Bash.
  2. You will need to migrate your DNS Nameserver to CloudFlare.  You can use an alternate service provider if it is supported as a dehydrated hook, but will need to modify the scripts provided on this page to make the other DNS provider work.
  3. The scripts here assume that hMailserver is installed in c:\Program Files (x86)\hMailServer if you have it installed in a different location, you will need to modify the batch file to use the correct path.


In Windows 10 bash, install the required packages:

sudo apt-get install openssl curl sed grep mktemp git build-essential
sudo apt-get install python-dev curl libffi-dev libssl-dev python-pip

Decide on your workspace folder and create it in Windows Explorer.  A folder without any spaces in its entire path is recommended (I have not tested names with spaces).  The folder needs to be accessible to non-admins, since currently there seems to be some issues with Windows 10 Bash access to restricted folders.  For example, lets consider something like  c:\Users\myUserName\Documents\Networking\hmailserver_letsencrypt (change myUserName to your username). We will call this your script folder on this page.

One-time initial setup

    Go to the script folder that you created, then:

    1. In Bash, get the dehydrated script and the related Cloudflare hook by running the following.  (If you are using a supported DNS service hook other than cloudflare, you will need to make changes for installing the hook and its dependencies):

    git clone https://github.com/lukas2511/dehydrated
    cd dehydrated
    mkdir hooks
    git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook hooks/cloudflare
    sudo pip install -r hooks/cloudflare/requirements-python-2.txt
    cd ..

    2. In Bash, create an executable script named hmailCert.sh by following:

    a. In bash run:

    cat > ./hmailCert.sh

    b. Then paste the following (mouse right click if you have enabled Quick Edit).  NOTE:  You will need to modify 
    CF_EMAIL, CF_KEY, HMAILSERVER_DOMAIN to be the correct values for your Cloudflare account login email, Cloudflare API key, and MX domain name. The MX domain name is the domain name that you are getting SSL certs for, which is where your hMailserver is running and has for its SSL Certificate. ( (If you are using a supported DNS service hook other than cloudflare, you will need to make changes call the correct hook instead of cloudflare's):

    export CF_EMAIL='yourCloudflareEmail@somedomain.com'
    export CF_KEY='yourCloudflareAPIKey'
    export HMAILSERVER_DOMAIN='yourMXDomainNameLike_mail.mydomain.com'
    dehydrated -c -d $HMAILSERVER_DOMAIN -t dns-01 -k 'hooks/cloudflare/hook.py'
    cp dehydrated/certs/$HMAILSERVER_DOMAIN/privkey.pem $HMAILSERVER_DOMAIN.letsencrypt.key
    cp dehydrated/certs/$HMAILSERVER_DOMAIN/fullchain.pem $HMAILSERVER_DOMAIN.letsencrypt.crt

    at the end press CTRL+D to save the file

    c. Give it execute permissions by:

    chmod 777 ./hmailCert.sh

    3. In Windows, go to your scrupt folder and create a batch file named hmailCert.bat with the following content. NOTE: change the second line with the address of your script folder.

    set HMAILSERVER_DOMAIN='yourMXDomainNameLike_mail.mydomain.com'
    cd c:\Users\myUserName\Documents\Networking\hmailserver_letsencrypt
    bash -c "./hmailCert.sh"
    copy %HMAILSERVER_DOMAIN%.letsencrypt.key "c:\Program Files (x86)\hMailServer"
    copy %HMAILSERVER_DOMAIN%.letsencrypt.crt "c:\Program Files (x86)\hMailServer"
    net stop hMailServer
    net start hMailServer

    4. In Windows run everything for the first time to see if it works or if there are any issues, by opening a Command Prompt (CMD) as Administrator (right click on Command Prompt in the Windows 10 (start) menu and click Run as Administrator).  Go to your script folder

    cd c:\Users\myUserName\Documents\Networking\hmailserver_letsencrypt

    and run the batch file:


    If no errors, you should have a new .key and a .crt file in your hMailServer folder. 

    5. Install the server certificate for the domain that hMailServer manages by going in hMailServer Admin GUI:
    1. Add the server's certificate (.crt) and the server's private key (.key) in Settings>Advanced>SSL Certificates.
    2. Set SMTP/POP3/IMAP to use the above SSL Certificate
      • Settings>Advanced>TCP/IP Ports:
        • SMTP: set Connection security to STARTLS (Optional), and then pick the SSL Certificate.
        • POP3/IMAP: set Connection security to STARTLS (Required), and then pick the SSL Certificate
    6. Load the initial certificates by restarting hMailServer.  You can do this in CMD (Run as Administrator) by the following two commands:

    net stop hMailServer
    net start hMailServer

    Automate Certificate Renewals

    1. Go to Windows Task Scheduler, and create a new task, to run the hmailCert.bat with the following settings:
    • General Tab:
      • Run whether user is logged on or not  (At the end when you click OK, it will ask you to enter windows credentials. Make sure to use an Admin account)
      • Run with highest privileges
      • Configure for: Windows 10
    • Trigger
      • Daily at some time every 85 days, Enabled
    • Action
      • Start a program
      • Program/script (update with your script folder): c:\Users\myUserName\Documents\Networking\hmailserver_letsencrypt/hmailCert.bat
      • Start in: c:\Users\myUserName\Documents\Networking\hmailserver_letsencrypt
    • Conditions
      • Start the task only if the computer is idle for: 10 minutes
    • Settings
      • Allow task to be run on demand
      • Run task as soon as possible after a scheduled start is missed
      • Stop the task if it runs longer than 8 hours
      • If the running task does not end when requested, force it to stop.