help centre
For more info visit status.atmail.com

How can we help?


Search our knowledge base for answers to
common questions and latest updates.



My activities New request

Follow

Using SSL certificates with atmail Exim and Dovecot - atmail 6.0 -> 7.6.0.2

Stewart -

PROBLEM

I want to use my own SSL certificates with my atmail installation.

ENVIRONMENT

  • on-premise mailserver installations: version 6.0 > 7.6.0.2

CAUSE

You can use SSL certificates to allow your users to access atmail via SSL. This document will show you how to convert SSL certificates in a format that can be used by Exim and Dovecot.

RESOLUTION

  1. Generate your custom SSL certificates with:
    % openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
  2. Upon getting your SSL certificates, you will receive them in two files: .crt and .key. For the purposes of this document, we will put them in the directory: /usr/local/atmail/ssl/ as two files domain.key and domain.crt.
  3. You will need to convert the crt file to .PEM. This command will do it:
    % openssl x509 -in /usr/local/atmail/ssl/domain.crt -out /usr/local/atmail/ssl/domain.pem -outform PEM
  4. Afterwards, you will need a password-less key file:
    % openssl rsa -in /usr/local/atmail/ssl/domain.key -out /usr/local/atmail/ssl/domain-nopass.key
  5. Define the pathnames of the key and cert files in WebAdmin > Services > POP3/IMAP.
  6. The SSL Certificate Path corresponds to your .pem file. For this example, the setting will be "/usr/local/atmail/ssl/domain.pem".
  7. The SSL key file corresponds to your passphrase-less key file. For this example, the setting will be "/usr/local/atmail/ssl/domain-nopass.key".
  8. Save changes.
  9. Should you want to verify this manually, open up /usr/local/atmail/mailserver/etc/dovecot.conf, and look for this code block:
    ssl = yes
    protocols = pop3 imap pop3s imaps
    ssl_cert_file = /usr/local/atmail/ssl/domain.pem
    ssl_key_file = /usr/local/atmail/ssl/domain-nopass.key
  10. And here is the corresponding entry for /usr/local/atmail/mailserver/configure:
    tls_advertise_hosts = *
    log_selector = +tls_peerdn
    tls_certificate=/usr/local/atmail/ssl/domain.pem
    tls_privatekey=/usr/local/atmail/ssl/domain-nopass.key
  11. Restart Atmail services.
    % /etc/init.d/atmailserver restart
Have more questions? Submit a request

Comments

  • Avatar
    Tomas

    Conversion to .pem produces the following:

    unable to load certificate
    139644526769808:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1345:
    139644526769808:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:388:Type=X509

  • Avatar
    jean

    Missing in these instructions are the instructions on how to generate a new key and certificate request.
    Details such as self-signed certificates vs "leaf" certificates would be welcomed as well.

  • Avatar
    Tim

    Our certificate generator (Go Daddy LLC) produces documents that are already PEM format, but require additional certificate(s) for chaining. After much experimentation, the easiest method to produce a cert that Atmail will use, is to combine the site and chain certs into one .crt file (you can call it .PEM if you want). We receive 4 files in our package; the .csr can be set aside. For this example, we have the following:

    8u9d45rd3ee.crt
    bundle-g2-g1.crt
    mywebsite.net.key

    Produce your site key as the article indicates. To create the Atmail-usable .crt file in the command line environment:

    cp 8u9d45rd3ee.crt mywebsite.net.crt
    cat bundle-g2-g1.crt >> mywebsite.net.crt

    cp mywebsite.net.crt /usr/local/atmail/mailserver/ssl/cert/

    Set the file names in the Admin GUI, restart the Atmail services, you should be good to go.


Contact our support team


+61 (7) 5357 6605       support@atmail.com