E-mail and SSL certificate
E-mail and SSL certificate
Hi there,
I currently have a server running with VestaCP. Everything is working smooth except for my email. I did install the force HTTPS template and enabled let's encrypt on all my domains. My webmail seems to be working with HTTPS but i also want to connect my mail clients with SSL. I can't seem to get a valid certificate going. Outlook can connect with the incoming server over SSL. But is unable to do so with the SMTP server. My phone, a Samsung Galaxy S7 edge, also gives an error about certificate not trusted. On both, incoming and outgoing server.
What certificate do i need to install? The one with the hostname of my vesta installation? one with the domain? (but im running multiple domains, so 1 certificate for a specific domain doesn't work??) And where do i have to install these?
Hope someone can help me out.
Kind regards,
Calvin
I currently have a server running with VestaCP. Everything is working smooth except for my email. I did install the force HTTPS template and enabled let's encrypt on all my domains. My webmail seems to be working with HTTPS but i also want to connect my mail clients with SSL. I can't seem to get a valid certificate going. Outlook can connect with the incoming server over SSL. But is unable to do so with the SMTP server. My phone, a Samsung Galaxy S7 edge, also gives an error about certificate not trusted. On both, incoming and outgoing server.
What certificate do i need to install? The one with the hostname of my vesta installation? one with the domain? (but im running multiple domains, so 1 certificate for a specific domain doesn't work??) And where do i have to install these?
Hope someone can help me out.
Kind regards,
Calvin
Re: E-mail and SSL certificate
Hi,
Have you found the answer for that? I've got the same issue.
Regards
Have you found the answer for that? I've got the same issue.
Regards
-
sacredwebsite
- Posts: 29
- Joined: Sun Dec 13, 2015 6:18 pm
Re: E-mail and SSL certificate
My reply on this to another post; may be relevant to you:
Vesta currently does not pass the web domain SSL cert to the email level, this means that only your server hostname can be used without showing the certificate warning. I am not sure if this is quite possible as I have not yet myself studied how this can be implemented, I just know its expected right now, so if you use the domain to connect to, you have to either not use encryption, ignore the cert warning, or use the server name as the domain name.
However, in order for the server name to not trigger a warning, the cert itself there must be valid (not be self signed), and also the proper configuration must be made for the mail server to use it.
The best way to configure your server correctly to use the hostname and not get an error is by executing the following command on your server as root:
v-update-host-certificate [USER] [HOSTNAME]
USER is the user that has the web domain that you are pulling the cert from (most often admin as the server hostname is added to it by default), and HOSTNAME is your server hostname as listed in the web section and best to be matching your server hostname in the server configuration or you will have a cert error
If the hostname cert is being generated by Let's Encrypt, You can probably add this command to your admin user CRON so that you do not have to remember to run it when the cert expires every 3 months.
sudo /usr/local/vesta/bin/v-update-host-certificate [USER] [HOSTNAME]
Its up to you to decide how often it runs, I would set it to run once a month.
remember to replace [USER] [HOSTNAME] with your user and hostname (without the brackets [])
This was added recently, as of this pull request, you can read more details here:
https://github.com/serghey-rodin/vesta/pull/1317
This is the script if you want to look at it:
https://github.com/serghey-rodin/vesta/ ... ertificate
-
StopSpazzing
- Posts: 9
- Joined: Sun Nov 12, 2017 6:18 am
Re: E-mail and SSL certificate
So what you are saying is... VestaCP doesnt support SSL email security, let alone for multiple domains. So if anyone else finds this answer, use another control panel. This one lacks basic email server encryption features, aka standard business practice.
Re: E-mail and SSL certificate
Probably, the most easy thing you can do is configure exim + dovecot to use the SSL certificate of the server's FQDN (e.g. server.example.com). You need to add Let's Encrypt SSl for your server FQDN (in your admin account) and then use the generated certificates in exim + dovecot configuration. When clients connect to POP3/IMAP/SMTP they need to use the FQDN of the server. Different certificates for domains other than the server's FQDN, isn't implemented yet.
Add SSL Support for the server's FQDN (provided that the domain is under the admin account)
Configure dovecot, exim and vesta nginx to use the FQDN certificate (full chain certificate)
Keep the certificates up to date
I've written a shell script to keep the certificates up to date and to copy them to the right directories. You can find it in github
https://github.com/ifaist0s/vesta-server-ssl-cert
DISCLAIMER
This post is meant as a guidance only! You should examine the procedures and scripts yourself.
Add SSL Support for the server's FQDN (provided that the domain is under the admin account)
Code: Select all
v-add-letsencrypt-domain admin $(hostname -f)Code: Select all
sed -ri 's:certificate.crt:certificate.pem:' /etc/dovecot/conf.d/10-ssl.conf
sed -ri 's:certificate.crt:certificate.pem:' /etc/exim4/exim4.conf.template
sed -ri 's:certificate.crt:certificate.pem:' /usr/local/vesta/nginx/conf/nginx.conf
I've written a shell script to keep the certificates up to date and to copy them to the right directories. You can find it in github
https://github.com/ifaist0s/vesta-server-ssl-cert
DISCLAIMER
This post is meant as a guidance only! You should examine the procedures and scripts yourself.