SSL-certificates for mail domains

From ISPWiki
Jump to: navigation, search

Managing SSL-certificates for mail domains

You can use an SSL-certificate for every domain.

When you create or edit a domain, select the "Secure connection (SSL)" check box.

You will see a list of available SSL-certificate. If they are not found, you will be able to generate a self-signed certificate.

 Note: certificates can be used for domains only with  Exim and Dovecot configured.

Setup and configuration

 Attention! Default activation of SSL-certificates on mail domains is enabled only for new installations. 
 That's why when you update the already install control panel, you will need to set up it manually. 
  • Navigate to the /usr/local/mgr5/etc/ispmgr.conf.d directory, and edit two files:

exim.conf. Add the following string at the end of the configuration file

 path exim-certdir /path_to_exim/ssl

dovecot.conf. Add the following string at the end of the configuration file

 path dovecot-certconf /path_to_dovecot/certs
  • Edit the Dovecot configuration file

/path_to_dovect/conf.d/10-ssl.conf. Add the following information:

 ssl = yes
 ssl_cert = </etc/exim/ssl/exim.crt
 ssl_key = </etc/exim/ssl/exim.key
 !include_try /путь_до_dovecot/certs/*.conf
  • Edit the Exim configuration file:

/path_to_exim/exim.conf. Edit the SSL settings:

 log_selector =  \
       +all_parents \
       +lost_incoming_connection \
       +received_sender \
       +received_recipients \
       +tls_cipher +tls_peerdn +tls_sni \
       +smtp_confirmation \
       +smtp_syntax_error \
       +smtp_protocol_error
 
 # TLS/SSL
 tls_advertise_hosts = *
 tls_certificate = ${if exists{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/exim.crt}}
 tls_privatekey = ${if exists{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/exim.key}}
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465

Location of certificates

By default all user certificates are located in /var/www/httpd-cert/user_name.

After domain registration or creation, certificates will be activated as follows:

Exim - copies of the certificate and key are created in the /path_to_exim/ssl directory

named domain_name.crt and domain_name.key

Dovecot - symlinks to the certificate and key are created in the /etc/email/certs directory

named domain_name.crt and domain_name.key correspondingly.

The domain_name.conf configuration files are created in the /path_to_dovecot/certs directory with the following strings:

 local_name domain_name {
       ssl_cert = </etc/email/certs/domain_name.crt
       ssl_key = </etc/email/certs/domain_name.key
 }

Editing top-level certificate

During preliminary setup of Exim and Dovecot, a single, "top-level" certificate is activate. Server administrator can edit it.

ISPmanager Lite

Navigate to Domains ->Mail domains and click the SSL-certificate button.

On the form that will open, you will see the SSL certificate, its key and chain will be displayed. You can edit those data and save the result.

ISPmanager Business

Navigate to Cluster settings ->Cluster nodes. The SSL-certificate button will get activated after you assign a mail role to that cluster node. Then you can perform the same operations as in ISPmanager Lite.