EMail SSL Certificate Installation

Questions regarding the Mail Server
Dovecot, Exim, RoundCube
mericson
Posts: 21
Joined: Thu Apr 06, 2017 12:37 am

EMail SSL Certificate Installation

Postby mericson » Wed May 10, 2017 8:31 pm

I don't see an option in the UI to configure the certificates for the email server. Sure would be nice if there was an option to automatically reuse the certificate created for the web server on the email server to support SSL.

phre4k
Posts: 6
Joined: Mon Feb 29, 2016 12:27 pm

Re: EMail SSL Certificate Installation

Postby phre4k » Sat May 20, 2017 10:03 am

Check if the following options exist in /etc/exim4/exim4.conf.template:

Code: Select all

tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key


You can do that like that:

Code: Select all

grep "tls_" /etc/exim4/exim4.conf.template


Then go to /usr/local/vesta/ssl/ and symlink the pem and key files of your respective domain:

Code: Select all

ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key


Then you have to give the user Debian-exim rights to access the certificates:

Code: Select all

setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key


Keep in mind that your file system needs to support Unix ACLs and the certificates are regenerated every few weeks if you're using letsencrypt – you probably have to set the ACLs again in the latter case. Else you get the error "Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider." (this is for Thunderbird, other mail apps may have different errors).

JakeTheDog420
Posts: 14
Joined: Sun Sep 24, 2017 6:00 am

Re: EMail SSL Certificate Installation

Postby JakeTheDog420 » Fri Sep 29, 2017 8:06 pm

Same problem now!

Had issue with my SSL certificate which meant it made accessing the control panel impossible!

Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.

How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?

I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.

As far as I am aware .pem and .crt extension makes no difference?

Any help is massively appreciated!

sifur
Posts: 24
Joined: Mon Dec 28, 2015 10:43 pm

Re: EMail SSL Certificate Installation

Postby sifur » Sun Nov 05, 2017 5:38 pm

First, I want to thank you for clear instructions. Now my Vesta Admin and Exim SSL is working.
However, My SMTP port 465 is still not opened. I checked Vesta default IPtables rules and it's allowed there. For the Port 465 issue I still can't send SSL encrypted email using SMTP port 465.

Your help appreciated.

JakeTheDog420 wrote:Same problem now!

Had issue with my SSL certificate which meant it made accessing the control panel impossible!

Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.

How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?

I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.

As far as I am aware .pem and .crt extension makes no difference?

Any help is massively appreciated!


Run this command and it should fix your permission issue.

Code: Select all

chgrp mail /home/admin/conf/web/ssl.domain.com.pem
chmod 660 /home/admin/conf/web/ssl.domain.com.pem
chgrp mail /home/admin/conf/web/ssl.domain.com.key
chmod 660 /home/admin/conf/web/ssl.domain.com.key


Note: replace domain.com with your SSL enabled domain name.


Return to “Mail Server”



Who is online

Users browsing this forum: No registered users and 4 guests

cron