Certbot Letsencrypt Certificate for HmailServer Windows svr 2019

Install hmailserver, don’t add your domain name.

install winacme

Run the following script or as commands in Powershell, maybe as admin. BE SURE to put your OWN DOMAIN name!!!!

Change the value of $NEWPASS  to your password that you set when you installed hamilserver.

$maildomain = "mail.float.i.ng"  ## ask question what domain ?

$mailaddress = "admin@$maildomain"

# for automated installations on EC2,  the password will be your instance ID
#$NEWPASS = (New-Object System.Net.WebClient).DownloadString("")


#Create Cert from Letsencrypt

#cd "C:\Program Files\win-acme"

cd "C:\Program Files\win-acme.v2.1.19.1142.x64"

.\wacs.exe --source manual --host $maildomain  --certificatestore My --installation iis --installationsiteid 1 --accepttos   --emailaddress $mailaddress --pemfilespath c:\certs  --verbose

$hm = New-Object -ComObject hMailServer.Application

## remember to actually create  this user so letsencrypt can email

$hm.Authenticate("Administrator","$NEWPASS")  | Out-Null

$hmAddDomain = $hm.Domains.Add()

$hmAddDomain.Name = "$maildomain"

$hmAddDomain.Active = $true


$Windows_SSLCert_Name = $maildomain

$SSLCert_KEY_Private = "c:\certs\$maildomain-key.pem"

$SSLCert_CRT_Public = "c:\certs\$maildomain-crt.pem"

$hm_SSLCert_New = $hm.Settings.SSLCertificates.Add()

$hm_SSLCert_New.Name = $Windows_SSLCert_Name

$hm_SSLCert_New.PrivateKeyFile = $SSLCert_KEY_Private

$hm_SSLCert_New.CertificateFile = $SSLCert_CRT_Public


# Add mailbox to domain

$maildomain = $hm.Domains.ItemByName($maildomain)

$hmAccount = $maildomain.Accounts.Add()

$hmAccount.Address = $mailaddress

$hmAccount.Password = "$NEWPASS"

$hmAccount.Active = $true

$hmAccount.MaxSize = 100


DISABLE windows firewall if it is enabled, you won’t have access. You can configure the Windows firewall to allow all 4 ports.

Now test whether you can receive and send emails, setup your favorite email client with user admin@YOURDOMAIN and the password is what is set in $NEWPASS in the above script (INSTANCE-ID)

Restart the hmail server

SInce y9uo already ran the above script open hmailserver admin


for smtp port 25 select starttls optional, otherwise you won’t be able to get email from servers without certs. For extra sensitive security like HIPA you will need to use required



Select your cert that the script created



Press save, then Select no until you have setup all 4 port with your cert.


For ports other than 25 select starttls required, 110, 143, 587


If your hmailserver is still not available, reboot your Windows Server


Run the hmailserver troubleshooter, put your domain in the right side.

In my case I had neglected to make an MX record, so nothing worked.

test ports from any Windows Powershell with the following, change Computername to your FQDN and port to whichever you want to test 443, 25, 110, 587 or 443 for secure WWW

Test-NetConnection -ComputerName localhost -Port 443

also from linux

dig yourfqdn MX


in addition to forgetting MX record, I apparently left out setting the ssl cert for default IIS website.


My issue in the end was having default website for 443 mis-set



than remove the old ones, change the port and host name

Remove-WebBinding -Name “Default Web Site” -IPAddress “*” -Port 80 -HostHeader “$maildomain”