SSL certificates for mail

There are two levels of configuring mail to work over a secure SSL connection in ispmanager:

• configuring an upper level certificate for the entire Exim mail server;
• configuring certificates for each of the mail domains.

Why a mail server needs a certificate

An upper-level certificate, or the main certificate of a mail server, is used when establishing a secure SMTP connection. When receiving an email, the receiving server uses the certificate of the server from which the email was sent and generates a session key. The key is used to encrypt the transmitted data between servers, which can be decrypted only by the participants of the connection.

Technically, mail will work with any upper-level certificate, but matching the mail domain and IP address is necessary to ensure that mail is not blocked by the anti-spam policies of other receiving mail servers.

Default certificate for mail server

In ispmanager, the mail server certificate is configured when installing the panel. By default, a self-signed SSL Certificate is generated with the server hostname as the domain (Common Name).

The default certificate provides the ability to establish an encrypted connection without additional configuration, but with such a certificate you will not be able to authenticate to other servers because the receiving server will check if the domain you are connecting to matches the domain in the certificate. Therefore, emails from a server with such a certificate will most likely be blocked by anti-spam filters on the receiving side.

To avoid this, you need to replace the self-signed certificate with a valid certificate. In most cases, a free certificate from Let's Encrypt, which can be issued and further renewed by the ispmanager panel, will be suitable for this purpose. If necessary, you can install an existing paid certificate issued by another certification authority.

Initial setup

Before installing an SSL certificate for the mail server, make sure that the following conditions are met:

• mail server is installed;
  
• the mail domain must be registered and accessible from the network;
• A-record of the mail domain should lead to the IP address of the server with ispmanager;
• the hostname of the server with ispmanager must correspond with the mail domain;
• PTR-records of public IP addresses on the server with ispmanager must point to the hostname.

Install Let's Encrypt for mail server

1. Get a free Let'Encrypt certificate. To do this:

• in the ispmanager main menu, go to SSL certificates;

• on the toolbar, click Add certificate →  Let's Encrypt:

• fill in the information and issue a certificate for the mail server domain name. More info about issuing Let's Encrypt certificates can be found in the documentation.
  

2. After successful issuance, copy the certificate you need. To do this:

• in the ispmanager main menu, go to SSL certificates;

• select the certificate and click   SSL certificate information on the toolbar or in the drop-down menu choose  Certificate data;

• copy the data or keep this panel open for further copying:

3. Transfer the data. To do this:

• in the ispmanager main menu, go to Mail;

• click Mail domains on the toolbar:

• Press SSL-certificate on the toolbar:

• The form that appears will display the current certificate, its key and chain. Replace these fields with the values of the new SSL certificate that were copied at step 2.
  

Install an existing certificate for the mail server

To install an existing certificate, follow step 3 of installing Let's Encrypt for the mail server instructions (above).

Certificates for mail domains

In ispmanager it is possible to connect a separate SSL certificate for each mail domain. This is required to verify that the mail domain matches the name in the certificate. 

To make an existing SSL certificate available for a mail domain, you must first add it to the panel.

1. In the Main menu go to SSL certificates;

2. Click Add certificate on the toolbar and select the certificate type you need:

3. Fill in the fields and click Create.

After adding a certificate, connect it in the mail domain configuration. To do this:

4. In the Main menu navigate to Mail.

5. Click Mail domains on the toolbar.

6. Select the mail domain you need and click  Change mail domain parameters on the toolbar or choose Edit in the drop-down menu  ;

7. Check the box Secure connection (SSL) and in the SSL certificate field select the certificate you have just added:

8. Save the changes.

Location of certificate files

SSL certificate of an upper level

For OS Rocky Linux, AlmaLinux

/etc/exim/ssl/exim.crtand /etc/exim/ssl/exim.key (the certificate and the key respectively)

For OS Debian, Ubuntu

/etc/exim4/ssl/exim.crtand /etc/exim4/ssl/exim.key (the certificate and the key respectively)

SSL certificates for domains

By default, all SSL certificates created for a user are stored in the /var/www/httpd-cert/username directory.

After editing or creating a domain, certificates are connected as follows:

For Exim

Copies of the certificate and the key are created in the /путь_к_exim/ssl directory with the names 'domain_name.crt' and 'domain_name.key'. The first file is the public key (or the certificate itself) and the second file is the private key (or the certificate key).

For Dovecot

Symbolic links to the certificate and key are created in the /etc/email/certs directory, named 'domain_name.crt' and 'domain_name.key' respectively. And in the /etc/dovecot/certs directory, a 'domain_name.conf' configuration file is created with an entry of the following form:

local_name domain_name {
       ssl_cert = </etc/email/certs/domain_name.crt
       ssl_key = </etc/email/certs/domain_name.key
 }