We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
First: Sorry for my english, I'm BR.
Hello guys,
today I almost broken my head with this problem, the exim mail server got a big problem related for SSL/TLS certificates.
Because when you try to send mails to anyother person you can't because you got CERTIFICATE error then almost all mail servers block you.
Then I have a SOLUTION, so let's go.
First Step:
[*] You need to ADD a WEB ALIASE with the name: mail.your-domain.tld
Then make sure you have * SSL Support and * Lets Encrypt Support MARKED.
Then SAVE.
Go back and click again in your-domain.tld and check if appears in ALIASES this: mail.your-domain.tld
Second Step
[*] You need create a SYMLINK of your CERTIFICATE for your domain in /usr/local/vesta/ssl directory. (you can use a differente directory if you want)
I put all my certificates in one directory to make it more simple.
To create a SYMLINK use this command:
ln -s /home/USER/conf/web/ssl.your-domain.tld.pem /usr/local/vesta/ssl/mail.your-domain.tld.pem
ln -s /home/USER/conf/web/ssl.your-domain.tld.key /usr/local/vesta/ssl/mail.your-domain.tld.key
Then set the MAIL permission or EXIM, its depend's your LINUX OS, in my case is CentOS then I have mail user.
Use this command:
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.pem
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.key
Now go to your EXIM.conf, probably located in /etc/exim/exim.conf and search for: tls_privatekey, then comment:
# tls_privatekey
# tls_certificate
and add:
tls_privatekey = ${if exists{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/your-default-vesta-certificate.key}}
tls_certificate = ${if exists{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/your-default-vesta-certificate.pem}}
Exim part DONE, let's go to DOVECOT:
First Step:
Find you DOVECOT directory, probably /etc/dovecot, then go to conf.d and edit this: 10-ssl.conf file.
Then add this config:
local_name mail.your-domain.tld {
ssl_cert = </usr/local/vesta/ssl/mail.your-domain.tld.pem
ssl_key = </usr/local/vesta/ssl/mail.your-domain.tld.key
}
Each domain you have you need an LOCAL_NAME for this.
Make sure you have this BEFORE in your 10-ssl.conf:
Make sure you restart the EXIM + DOVECOT services then test it:
openssl s_client -showcerts -connect localhost:993 or 587 (depends yours ports and server name, I used localhost)
Then you can see your Let'sEncrypt certificate in action.
For more tests go to: https://www.checktls.com/perl/live/TestReceiver.pl
And: https://www.mail-tester.com <<< to make a message test.
Look my mail-server SCORE:
This is it.
If you have any problem tell me.
Hope this help a lot of people :)
Sincerely, Daniel.
Hello guys,
today I almost broken my head with this problem, the exim mail server got a big problem related for SSL/TLS certificates.
Because when you try to send mails to anyother person you can't because you got CERTIFICATE error then almost all mail servers block you.
Then I have a SOLUTION, so let's go.
First Step:
[*] You need to ADD a WEB ALIASE with the name: mail.your-domain.tld
Then make sure you have * SSL Support and * Lets Encrypt Support MARKED.
Then SAVE.
Go back and click again in your-domain.tld and check if appears in ALIASES this: mail.your-domain.tld
Second Step
[*] You need create a SYMLINK of your CERTIFICATE for your domain in /usr/local/vesta/ssl directory. (you can use a differente directory if you want)
I put all my certificates in one directory to make it more simple.
To create a SYMLINK use this command:
ln -s /home/USER/conf/web/ssl.your-domain.tld.pem /usr/local/vesta/ssl/mail.your-domain.tld.pem
ln -s /home/USER/conf/web/ssl.your-domain.tld.key /usr/local/vesta/ssl/mail.your-domain.tld.key
Then set the MAIL permission or EXIM, its depend's your LINUX OS, in my case is CentOS then I have mail user.
Use this command:
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.pem
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.key
Now go to your EXIM.conf, probably located in /etc/exim/exim.conf and search for: tls_privatekey, then comment:
# tls_privatekey
# tls_certificate
and add:
tls_privatekey = ${if exists{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/your-default-vesta-certificate.key}}
tls_certificate = ${if exists{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/your-default-vesta-certificate.pem}}
Exim part DONE, let's go to DOVECOT:
First Step:
Find you DOVECOT directory, probably /etc/dovecot, then go to conf.d and edit this: 10-ssl.conf file.
Then add this config:
local_name mail.your-domain.tld {
ssl_cert = </usr/local/vesta/ssl/mail.your-domain.tld.pem
ssl_key = </usr/local/vesta/ssl/mail.your-domain.tld.key
}
Each domain you have you need an LOCAL_NAME for this.
Make sure you have this BEFORE in your 10-ssl.conf:
The Final Step:ssl = yes
ssl_cert = </usr/local/vesta/ssl/your-default-vesta-certificate.pem
ssl_key = </usr/local/vesta/ssl/your-default-vesta-certificate.key
Make sure you restart the EXIM + DOVECOT services then test it:
openssl s_client -showcerts -connect localhost:993 or 587 (depends yours ports and server name, I used localhost)
Then you can see your Let'sEncrypt certificate in action.
For more tests go to: https://www.checktls.com/perl/live/TestReceiver.pl
And: https://www.mail-tester.com <<< to make a message test.
Look my mail-server SCORE:
This is it.
If you have any problem tell me.
Hope this help a lot of people :)
Sincerely, Daniel.
Re: How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
My friend I have the same problem.
Is this solution work in multiple domains? Cause I was reading it and now I have doubts if it only will work in one domain or will work in other domain that will be host together.
Example:
I have domainA.com, domainB.com, domainC.com
if i create mail.domainA.com with the SSL and change all things, I will set everything to use only this SSL, correct?
My doubt is if the others domains will work using the SSL from the first.
Thank You!
Is this solution work in multiple domains? Cause I was reading it and now I have doubts if it only will work in one domain or will work in other domain that will be host together.
Example:
I have domainA.com, domainB.com, domainC.com
if i create mail.domainA.com with the SSL and change all things, I will set everything to use only this SSL, correct?
My doubt is if the others domains will work using the SSL from the first.
Thank You!
Re: How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
I think this is a good solution. For me one important think that VestaCP should have is an option to automatically certify the mail.{domain}.tld of each domain on the server.
Re: How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
Hello danielz
I´m BR too :)
I have a problem, after adding this (with my settings):
Would you help me?
I´m BR too :)
I have a problem, after adding this (with my settings):
The dovecot turns gray and will not start until I remove it.First Step:
Find you DOVECOT directory, probably /etc/dovecot, then go to conf.d and edit this: 10-ssl.conf file.
Then add this config:
local_name mail.your-domain.tld {
ssl_cert = </usr/local/vesta/ssl/mail.your-domain.tld.pem
ssl_key = </usr/local/vesta/ssl/mail.your-domain.tld.key
}
Would you help me?
-
- Support team
- Posts: 1047
- Joined: Fri Mar 21, 2014 7:49 am
- Contact:
- Os: CentOS 6x
- Web: apache + nginx
Re: How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
in my case I use next:
Code: Select all
ssl = yes
ssl_cert = </usr/local/vesta/ssl/mail.your-domain.tld.pem
ssl_key = </usr/local/vesta/ssl/mail.your-domain.tld.key
Re: How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
Is this something that will be supported by VestaCP natively? It makes sense to support it somehow