How-To Exim+Dovecot+Vesta with SSL/TLS Let'sEncrypt
Posted: Wed Jun 20, 2018 7:55 pm
First: Sorry for my english, I'm BR.
Hello guys,
today I almost broken my head with this problem, the exim mail server got a big problem related for SSL/TLS certificates.
Because when you try to send mails to anyother person you can't because you got CERTIFICATE error then almost all mail servers block you.
Then I have a SOLUTION, so let's go.
First Step:
[*] You need to ADD a WEB ALIASE with the name: mail.your-domain.tld
Then make sure you have * SSL Support and * Lets Encrypt Support MARKED.
Then SAVE.
Go back and click again in your-domain.tld and check if appears in ALIASES this: mail.your-domain.tld
Second Step
[*] You need create a SYMLINK of your CERTIFICATE for your domain in /usr/local/vesta/ssl directory. (you can use a differente directory if you want)
I put all my certificates in one directory to make it more simple.
To create a SYMLINK use this command:
ln -s /home/USER/conf/web/ssl.your-domain.tld.pem /usr/local/vesta/ssl/mail.your-domain.tld.pem
ln -s /home/USER/conf/web/ssl.your-domain.tld.key /usr/local/vesta/ssl/mail.your-domain.tld.key
Then set the MAIL permission or EXIM, its depend's your LINUX OS, in my case is CentOS then I have mail user.
Use this command:
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.pem
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.key
Now go to your EXIM.conf, probably located in /etc/exim/exim.conf and search for: tls_privatekey, then comment:
# tls_privatekey
# tls_certificate
and add:
tls_privatekey = ${if exists{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/your-default-vesta-certificate.key}}
tls_certificate = ${if exists{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/your-default-vesta-certificate.pem}}
Exim part DONE, let's go to DOVECOT:
First Step:
Find you DOVECOT directory, probably /etc/dovecot, then go to conf.d and edit this: 10-ssl.conf file.
Then add this config:
local_name mail.your-domain.tld {
ssl_cert = </usr/local/vesta/ssl/mail.your-domain.tld.pem
ssl_key = </usr/local/vesta/ssl/mail.your-domain.tld.key
}
Each domain you have you need an LOCAL_NAME for this.
Make sure you have this BEFORE in your 10-ssl.conf:
Make sure you restart the EXIM + DOVECOT services then test it:
openssl s_client -showcerts -connect localhost:993 or 587 (depends yours ports and server name, I used localhost)
Then you can see your Let'sEncrypt certificate in action.
For more tests go to: https://www.checktls.com/perl/live/TestReceiver.pl
And: https://www.mail-tester.com <<< to make a message test.
Look my mail-server SCORE:
This is it.
If you have any problem tell me.
Hope this help a lot of people :)
Sincerely, Daniel.
Hello guys,
today I almost broken my head with this problem, the exim mail server got a big problem related for SSL/TLS certificates.
Because when you try to send mails to anyother person you can't because you got CERTIFICATE error then almost all mail servers block you.
Then I have a SOLUTION, so let's go.
First Step:
[*] You need to ADD a WEB ALIASE with the name: mail.your-domain.tld
Then make sure you have * SSL Support and * Lets Encrypt Support MARKED.
Then SAVE.
Go back and click again in your-domain.tld and check if appears in ALIASES this: mail.your-domain.tld
Second Step
[*] You need create a SYMLINK of your CERTIFICATE for your domain in /usr/local/vesta/ssl directory. (you can use a differente directory if you want)
I put all my certificates in one directory to make it more simple.
To create a SYMLINK use this command:
ln -s /home/USER/conf/web/ssl.your-domain.tld.pem /usr/local/vesta/ssl/mail.your-domain.tld.pem
ln -s /home/USER/conf/web/ssl.your-domain.tld.key /usr/local/vesta/ssl/mail.your-domain.tld.key
Then set the MAIL permission or EXIM, its depend's your LINUX OS, in my case is CentOS then I have mail user.
Use this command:
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.pem
chown root.mail /usr/local/vesta/ssl/mail.your-domain.tld.key
Now go to your EXIM.conf, probably located in /etc/exim/exim.conf and search for: tls_privatekey, then comment:
# tls_privatekey
# tls_certificate
and add:
tls_privatekey = ${if exists{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/${tls_sni}.key}{/usr/local/vesta/ssl/your-default-vesta-certificate.key}}
tls_certificate = ${if exists{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/${tls_sni}.pem}{/usr/local/vesta/ssl/your-default-vesta-certificate.pem}}
Exim part DONE, let's go to DOVECOT:
First Step:
Find you DOVECOT directory, probably /etc/dovecot, then go to conf.d and edit this: 10-ssl.conf file.
Then add this config:
local_name mail.your-domain.tld {
ssl_cert = </usr/local/vesta/ssl/mail.your-domain.tld.pem
ssl_key = </usr/local/vesta/ssl/mail.your-domain.tld.key
}
Each domain you have you need an LOCAL_NAME for this.
Make sure you have this BEFORE in your 10-ssl.conf:
The Final Step:ssl = yes
ssl_cert = </usr/local/vesta/ssl/your-default-vesta-certificate.pem
ssl_key = </usr/local/vesta/ssl/your-default-vesta-certificate.key
Make sure you restart the EXIM + DOVECOT services then test it:
openssl s_client -showcerts -connect localhost:993 or 587 (depends yours ports and server name, I used localhost)
Then you can see your Let'sEncrypt certificate in action.
For more tests go to: https://www.checktls.com/perl/live/TestReceiver.pl
And: https://www.mail-tester.com <<< to make a message test.
Look my mail-server SCORE:
This is it.
If you have any problem tell me.
Hope this help a lot of people :)
Sincerely, Daniel.