Hi All,

There is integrated Let's Encrypt support for the WEB/SMTP TLS Certificate.

We are using an Exchange Connect with Certificates for mTLS auto, using Xeams as a relay server.

For the connector, the certificate needs to be publically trusted.

Currently we are using a certificate with a 1 Year expiration, but as we move to 45 days, that becomes a high admin overhead.

Is there plans to integrate Let's Encrypt certificate rotation for the mTLS feature?

OR will there be an available API to update it from an orchestration platform? 

Dennis,

Xeams is already integrated with Let's Encrypt. The challenging part is using mTLS with the correct hostname. Typically, you send emails using your top-level domain. For example, if your domain is abc.com, most emails will have addresses like john@abc.com or jane@abc.com. However, the server running Xeams will likely not have this as its FQDN; it will be something like smtp.abc.com or mail.abc.com. Therefore, the generated certificates in Xeams will not be for the correct domain. 

If you already have a mechanism to renew these certificates on your main website using Let's Encrypt for your top-level domain (abc.com, for example), the easiest way is to write a script that periodically copies the *.pfx file in the $INSTALL_DIR/clientCerts folder on the machine running Xeams. As long as the PFX filename and its password match, Xeams will use the newer certificate without you explicitly importing it.

"periodically copies the *.pfx file in the $INSTALL_DIR/clientCerts"

Understood, this is acceptable.

Does the service need to be restarted? 

Yes. Since the memory content will not match the disk, you will have to restart Xeams.