Page 1 of 1

EMail SSL Certificate Installation

Posted: Wed May 10, 2017 8:31 pm
by mericson
I don't see an option in the UI to configure the certificates for the email server. Sure would be nice if there was an option to automatically reuse the certificate created for the web server on the email server to support SSL.

Re: EMail SSL Certificate Installation

Posted: Sat May 20, 2017 10:03 am
by phre4k
Check if the following options exist in /etc/exim4/exim4.conf.template:

Code: Select all

tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
You can do that like that:

Code: Select all

grep "tls_" /etc/exim4/exim4.conf.template
Then go to /usr/local/vesta/ssl/ and symlink the pem and key files of your respective domain:

Code: Select all

ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key
Then you have to give the user Debian-exim rights to access the certificates:

Code: Select all

setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key
Keep in mind that your file system needs to support Unix ACLs and the certificates are regenerated every few weeks if you're using letsencrypt – you probably have to set the ACLs again in the latter case. Else you get the error "Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider." (this is for Thunderbird, other mail apps may have different errors).

Re: EMail SSL Certificate Installation

Posted: Fri Sep 29, 2017 8:06 pm
by JakeTheDog420
Same problem now!

Had issue with my SSL certificate which meant it made accessing the control panel impossible!

Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.

How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?

I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.

As far as I am aware .pem and .crt extension makes no difference?

Any help is massively appreciated!

Re: EMail SSL Certificate Installation

Posted: Sun Nov 05, 2017 5:38 pm
by sifur
First, I want to thank you for clear instructions. Now my Vesta Admin and Exim SSL is working.
However, My SMTP port 465 is still not opened. I checked Vesta default IPtables rules and it's allowed there. For the Port 465 issue I still can't send SSL encrypted email using SMTP port 465.

Your help appreciated.
JakeTheDog420 wrote:Same problem now!

Had issue with my SSL certificate which meant it made accessing the control panel impossible!

Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.

How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?

I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.

As far as I am aware .pem and .crt extension makes no difference?

Any help is massively appreciated!
Run this command and it should fix your permission issue.

Code: Select all

chgrp mail /home/admin/conf/web/ssl.domain.com.pem
chmod 660 /home/admin/conf/web/ssl.domain.com.pem
chgrp mail /home/admin/conf/web/ssl.domain.com.key
chmod 660 /home/admin/conf/web/ssl.domain.com.key
Note: replace domain.com with your SSL enabled domain name.

Re: EMail SSL Certificate Installation

Posted: Mon Jan 27, 2020 3:35 pm
by daniyal.javani
phre4k wrote:
Sat May 20, 2017 10:03 am
Check if the following options exist in /etc/exim4/exim4.conf.template:

Code: Select all

tls_advertise_hosts = *
tls_certificate = /usr/local/vesta/ssl/certificate.crt
tls_privatekey = /usr/local/vesta/ssl/certificate.key
You can do that like that:

Code: Select all

grep "tls_" /etc/exim4/exim4.conf.template
Then go to /usr/local/vesta/ssl/ and symlink the pem and key files of your respective domain:

Code: Select all

ln -s /home/admin/conf/web/ssl.example.com.pem /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.example.com.key /usr/local/vesta/ssl/certificate.key
Then you have to give the user Debian-exim rights to access the certificates:

Code: Select all

setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.pem
setfacl -m user:Debian-exim:r-- /home/admin/conf/web/ssl.example.com.key
Keep in mind that your file system needs to support Unix ACLs and the certificates are regenerated every few weeks if you're using letsencrypt – you probably have to set the ACLs again in the latter case. Else you get the error "Unable to establish a secure link with Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider." (this is for Thunderbird, other mail apps may have different errors).
Thank you very much! it worked. service exmi4 wasn't enough and my problem fixed after a reboot, is there any alternative for reboot?

Re: EMail SSL Certificate Installation

Posted: Wed Jun 03, 2020 7:37 pm
by valy
sifur wrote:
Sun Nov 05, 2017 5:38 pm
First, I want to thank you for clear instructions. Now my Vesta Admin and Exim SSL is working.
However, My SMTP port 465 is still not opened. I checked Vesta default IPtables rules and it's allowed there. For the Port 465 issue I still can't send SSL encrypted email using SMTP port 465.

Your help appreciated.
JakeTheDog420 wrote:Same problem now!

Had issue with my SSL certificate which meant it made accessing the control panel impossible!

Now I've managed to fix that but my mail provider is giving me this same error when I try to send a message out as a test! I do not get this error or any error I've noticed when reading/loading new emails.

How do I fix this and what is causing it?
I am using debian but I dont have the setfacl commands? I think its quite possibly a permission problem although I would have thought that would make the entire certificate unreadable and thus not allow me to connect at all not simply refuse to send emails?

I dont think it matters but I'm using .key and .crt files. I haven't symlinked anything. I just copied the .crt and .key files from my /home/admin/conf/web directory to the vesta/ssl directory and named them certificate.crt and .key as required.

As far as I am aware .pem and .crt extension makes no difference?

Any help is massively appreciated!
Run this command and it should fix your permission issue.

Code: Select all

chgrp mail /home/admin/conf/web/ssl.domain.com.pem
chmod 660 /home/admin/conf/web/ssl.domain.com.pem
chgrp mail /home/admin/conf/web/ssl.domain.com.key
chmod 660 /home/admin/conf/web/ssl.domain.com.key
Note: replace domain.com with your SSL enabled domain name.
That solves my problem, but after a while ssl.domain.com.pem and ssl.domain.com.key have again 640 permission.
Probably the certificate is renewed..
What could I do? That when the certificate is renewed to receive permission 660 automatically?
I don't think it's a good idea to put on a cronjob.