diff --git a/README.md b/README.md
index d0fdb0e..42a147b 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ echo FIRST_MAIL_DOMAIN=mydomain.com >> iredmail-docker.conf
 echo FIRST_MAIL_DOMAIN_ADMIN_PASSWORD=my-secret-password >> iredmail-docker.conf
 echo MLMMJADMIN_API_TOKEN=$(openssl rand -base64 32) >> iredmail-docker.conf
 echo ROUNDCUBE_DES_KEY=$(openssl rand -base64 24) >> iredmail-docker.conf
+echo LETSENCRYPT=true >> iredmail-docker.conf
 ```
 
 Create required directories to store application data:
@@ -60,6 +61,7 @@ docker run \
     -v /iredmail/data/clamav:/var/lib/clamav \
     -v /iredmail/data/sa_rules:/var/lib/spamassassin \
     -v /iredmail/data/postfix_queue:/var/spool/postfix \
+    -v /iredmail/data/ssl:/etc/letsencrypt \
     iredmail/mariadb:stable
 ```
 
diff --git a/entrypoints/cron.sh b/entrypoints/cron.sh
index ef20e74..5f6bc33 100644
--- a/entrypoints/cron.sh
+++ b/entrypoints/cron.sh
@@ -8,4 +8,8 @@
 
 . /docker/entrypoints/functions.sh
 
+echo "1 3 * * * certbot renew --webroot -w /var/www/html --post-hook 'ln -sf /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /opt/iredmail/ssl/key.pem; /usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'" > /etc/cron.d/letsencrypt
+
+chmod 0644 /etc/cron.d/letsencrypt
+
 set_cron_file_permission
diff --git a/entrypoints/dovecot.sh b/entrypoints/dovecot.sh
index 316a436..9bef1bc 100644
--- a/entrypoints/dovecot.sh
+++ b/entrypoints/dovecot.sh
@@ -39,25 +39,34 @@ for d in ${MAILBOXES_DIR} \
     [[ -d ${d} ]] || mkdir -p ${d}
 done
 
-# Create self-signed ssl cert.
-if [[ ! -f ${SSL_CERT_FILE} ]] || [[ ! -f ${SSL_KEY_FILE} ]]; then
-    LOG "Generating self-signed ssl cert under ${SSL_CERT_DIR}."
-    openssl req -x509 -nodes -sha256 -days 3650 \
-        -subj "/C=${SSL_CERT_COUNTRY}/ST=${SSL_CERT_STATE}/L=${SSL_CERT_CITY}/O=${SSL_CERT_DEPARTMENT}/CN=${HOSTNAME}/emailAddress=${POSTMASTER_EMAIL}" \
-        -newkey rsa:${SSL_KEY_LENGTH} \
-        -out ${SSL_CERT_FILE} \
-        -keyout ${SSL_KEY_FILE} >/dev/null
-
-    cp -f ${SSL_CERT_FILE} ${SSL_COMBINED_FILE}
+if [ "${LETSENCRYPT}"=true ]; then
+	if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/privkey.pem ]; then
+	certbot certonly --standalone --non-interactive --agree-tos -d ${HOSTNAME} -m ${POSTMASTER_EMAIL}
+	fi
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/cert.pem /opt/iredmail/ssl/cert.pem
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /opt/iredmail/ssl/key.pem
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /opt/iredmail/ssl/combined.pem
+
+else
+	# Create self-signed ssl cert.
+	if [[ ! -f ${SSL_CERT_FILE} ]] || [[ ! -f ${SSL_KEY_FILE} ]]; then
+	    LOG "Generating self-signed ssl cert under ${SSL_CERT_DIR}."
+	    openssl req -x509 -nodes -sha256 -days 3650 \
+	        -subj "/C=${SSL_CERT_COUNTRY}/ST=${SSL_CERT_STATE}/L=${SSL_CERT_CITY}/O=${SSL_CERT_DEPARTMENT}/CN=${HOSTNAME}/emailAddress=${POSTMASTER_EMAIL}" \
+	        -newkey rsa:${SSL_KEY_LENGTH} \
+	        -out ${SSL_CERT_FILE} \
+	        -keyout ${SSL_KEY_FILE} >/dev/null
+
+	    cp -f ${SSL_CERT_FILE} ${SSL_COMBINED_FILE}
+	fi
+	chmod 0644 ${SSL_CERT_FILE} ${SSL_KEY_FILE} ${SSL_COMBINED_FILE}
 fi
-chmod 0644 ${SSL_CERT_FILE} ${SSL_KEY_FILE} ${SSL_COMBINED_FILE}
-
-# Create dh param.
-if [[ ! -f ${SSL_DHPARAM2048_FILE} ]]; then
-    LOG "Generating dh param file: ${SSL_DHPARAM2048_FILE}. It make take a long time."
-    openssl dhparam -out ${SSL_DHPARAM2048_FILE} 2048 >/dev/null
-fi
-chmod 0644 ${SSL_DHPARAM2048_FILE}
+	# Create dh param.
+	if [[ ! -f ${SSL_DHPARAM2048_FILE} ]]; then
+	    LOG "Generating dh param file: ${SSL_DHPARAM2048_FILE}. It make take a long time."
+	    openssl dhparam -out ${SSL_DHPARAM2048_FILE} 2048 >/dev/null
+	fi
+	chmod 0644 ${SSL_DHPARAM2048_FILE}
 
 # Make sure mailboxes directory has correct owner/group and permission.
 # Note: If there're many mailboxes, `chown/chmod -R` will take a long time.
diff --git a/run_all_in_one.sh b/run_all_in_one.sh
index d321014..00c3dbb 100755
--- a/run_all_in_one.sh
+++ b/run_all_in_one.sh
@@ -64,4 +64,5 @@ docker run \
     -v ${DATA_DIR}/imapsieve_copy:/var/vmail/imapsieve_copy \
     -v ${DATA_DIR}/sa_rules:/var/lib/spamassassin \
     -v ${DATA_DIR}/postfix_queue:/var/spool/postfix \
+    -v ${DATA_DIR}/ssl:/etc/letsencrypt \
     iredmail/mariadb:nightly
diff --git a/scripts/install_all_pkgs.sh b/scripts/install_all_pkgs.sh
index 405f77b..48d309b 100644
--- a/scripts/install_all_pkgs.sh
+++ b/scripts/install_all_pkgs.sh
@@ -10,7 +10,7 @@
 export DEBIAN_FRONTEND='noninteractive'
 
 # Required binary packages.
-PKGS_BASE="apt-transport-https bzip2 cron ca-certificates curl dbus dirmngr gzip openssl python3-apt python3-setuptools rsyslog software-properties-common unzip python3-pymysql python3-psycopg2"
+PKGS_BASE="apt-transport-https bzip2 cron ca-certificates certbot curl dbus dirmngr gzip openssl python3-apt python3-setuptools rsyslog software-properties-common unzip python3-pymysql python3-psycopg2"
 PKGS_MYSQL="mariadb-server"
 PKGS_NGINX="nginx"
 PKGS_PHP_FPM="php-fpm php-cli"