EMail SSL Certificate Installation

Questions regarding the Mail Server
Dovecot, Exim, RoundCube
mericson
Posts: 19
Joined: Thu Apr 06, 2017 12:37 am

EMail SSL Certificate Installation

Postby mericson » Wed May 10, 2017 8:31 pm

I don't see an option in the UI to configure the certificates for the email server. Sure would be nice if there was an option to automatically reuse the certificate created for the web server on the email server to support SSL.

phre4k
Posts: 6
Joined: Mon Feb 29, 2016 12:27 pm

Re: EMail SSL Certificate Installation

Postby phre4k » Sat May 20, 2017 10:03 am

Check if the following options exist in /etc/exim4/exim4.conf.template:

Code: Select all

tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key


You can do that like that:

Code: Select all

grep "tls_" /etc/exim4/exim4.conf.template


Then go to /usr/local/vesta/ssl/ and symlink the pem and key files of your respective domain:

Code: Select all

ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key


Then you have to give the user Debian-exim rights to access the certificates:

Code: Select all

setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key


Keep in mind that your file system needs to support Unix ACLs and the certificates are regenerated every few weeks if you're using letsencrypt – you probably have to set the ACLs again in the latter case. Else you get the error "Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider." (this is for Thunderbird, other mail apps may have different errors).


Return to “Mail Server”



Who is online

Users browsing this forum: No registered users and 1 guest