SSL-certificates for mail domains
Managing SSL-certificates for mail domains
You can use an SSL-certificate for every domain.
When you create or edit a domain, select the "Secure connection (SSL)" checkbox.
You will see a list of available SSL-certificate. If they are not found, you will be able to generate a self-signed certificate.
Note: certificates can be used for domains only with Exim and Dovecot configured.
Setup and configuration
Attention! Default activation of SSL-certificates on mail domains is enabled only for new installations.
That's why when you update the already install control panel, you will need to set up it manually.
- Navigate to the /usr/local/mgr5/etc/ispmgr.conf.d directory, and edit two files:
exim.conf. Add the following string at the end of the configuration file
path exim-certdir /path_to_exim/ssl
dovecot.conf. Add the following string at the end of the configuration file
path dovecot-certconf /path_to_dovecot/certs
- Edit the Dovecot configuration file
/path_to_dovect/conf.d/10-ssl.conf. Add the following information:
ssl = yes
ssl_cert = </etc/exim/ssl/exim.crt
ssl_key = </etc/exim/ssl/exim.key
!include_try /путь_до_dovecot/certs/*.conf
- Edit the Exim configuration file:
/path_to_exim/exim.conf. Edit the SSL settings:
log_selector = \
+all_parents \
+lost_incoming_connection \
+received_sender \
+received_recipients \
+tls_cipher +tls_peerdn +tls_sni \
+smtp_confirmation \
+smtp_syntax_error \
+smtp_protocol_error
# TLS/SSL
tls_advertise_hosts = *
tls_certificate = ${if exists{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/exim.crt}}
tls_privatekey = ${if exists{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/exim.key}}
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465
Location of certificates
By default all user certificates are located in /var/www/httpd-cert/user_name.
After domain registration or creation, certificates will be activated as follows:
Exim — copies of the certificate and key are created in the /path_to_exim/ssl directory
named domain_name.crt and domain_name.key
Dovecot — symlinks to the certificate and key are created in the /etc/email/certs directory
named domain_name.crt and domain_name.key correspondingly.
The domain_name.conf configuration files are created in the /path_to_dovecot/certs directory with the following strings:
local_name domain_name {
ssl_cert = </etc/email/certs/domain_name.crt
ssl_key = </etc/email/certs/domain_name.key
}
Editing top-level certificate
During preliminary setup of Exim and Dovecot, a single, "top-level" certificate is activated. The server administrator can edit it.
ISPmanager Lite
Navigate to Domains ->Mail domains and click the SSL-certificate button.
On the form that will open, you will see the SSL certificate, its key and chain will be displayed. You can edit those data and save the result.
ISPmanager Business
Navigate to Cluster settings ->Cluster nodes. The SSL-certificate button will get activated after you assign a mail role to that cluster node. Then you can perform the same operations as in ISPmanager Lite.
Connecting Let's Encrypt certificates
To connect a Let's Encrypt SSL certificate to email domains:
- Get a Let's Encrypt certificate. Enter Web-server settings → SSL certificates → Let's Encrypt button. You can use a wildcard certificate for your mail domains.
- Enter Domains → Mail domains → select the domain → Edit → enable Secure connection (SSL) → select the issued Let's Encrypt certificate → Ok.
Read more about how Let's Encrypt certificates work in Integration with Let’s Encrypt.