My activities New request

contact atmail support

PH: +61 (7) 5357-6605

support@atmail.com

Follow

Using SSL certificates with atmail Exim and Dovecot - atmail 6.0 -> 7.6.0.2

Stewart -

PROBLEM

I want to use my own SSL certificates with my atmail installation.

ENVIRONMENT

  • on-premise mailserver installations: version 6.0 > 7.6.0.2

CAUSE

You can use SSL certificates to allow your users to access atmail via SSL. This document will show you how to convert SSL certificates in a format that can be used by Exim and Dovecot.

RESOLUTION

  1. Generate your custom SSL certificates with:
    % openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
  2. Upon getting your SSL certificates, you will receive them in two files: .crt and .key. For the purposes of this document, we will put them in the directory: /usr/local/atmail/ssl/ as two files domain.key and domain.crt.
  3. You will need to convert the crt file to .PEM. This command will do it:
    % openssl x509 -in /usr/local/atmail/ssl/domain.crt -out /usr/local/atmail/ssl/domain.pem -outform PEM
  4. Afterwards, you will need a password-less key file:
    % openssl rsa -in /usr/local/atmail/ssl/domain.key -out /usr/local/atmail/ssl/domain-nopass.key
  5. Define the pathnames of the key and cert files in WebAdmin > Services > POP3/IMAP.
  6. The SSL Certificate Path corresponds to your .pem file. For this example, the setting will be "/usr/local/atmail/ssl/domain.pem".
  7. The SSL key file corresponds to your passphrase-less key file. For this example, the setting will be "/usr/local/atmail/ssl/domain-nopass.key".
  8. Save changes.
  9. Should you want to verify this manually, open up /usr/local/atmail/mailserver/etc/dovecot.conf, and look for this code block:
    ssl = yes
    protocols = pop3 imap pop3s imaps
    ssl_cert_file = /usr/local/atmail/ssl/domain.pem
    ssl_key_file = /usr/local/atmail/ssl/domain-nopass.key
  10. And here is the corresponding entry for /usr/local/atmail/mailserver/configure:
    tls_advertise_hosts = *
    log_selector = +tls_peerdn
    tls_certificate=/usr/local/atmail/ssl/domain.pem
    tls_privatekey=/usr/local/atmail/ssl/domain-nopass.key
  11. Restart Atmail services.
    % /etc/init.d/atmailserver restart
Have more questions? Submit a request

Comments

  • Avatar
    Tomas

    Conversion to .pem produces the following:

    unable to load certificate
    139644526769808:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1345:
    139644526769808:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:388:Type=X509

  • Avatar
    jean

    Missing in these instructions are the instructions on how to generate a new key and certificate request.
    Details such as self-signed certificates vs "leaf" certificates would be welcomed as well.

  • Avatar
    Tim

    Our certificate generator (Go Daddy LLC) produces documents that are already PEM format, but require additional certificate(s) for chaining. After much experimentation, the easiest method to produce a cert that Atmail will use, is to combine the site and chain certs into one .crt file (you can call it .PEM if you want). We receive 4 files in our package; the .csr can be set aside. For this example, we have the following:

    8u9d45rd3ee.crt
    bundle-g2-g1.crt
    mywebsite.net.key

    Produce your site key as the article indicates. To create the Atmail-usable .crt file in the command line environment:

    cp 8u9d45rd3ee.crt mywebsite.net.crt
    cat bundle-g2-g1.crt >> mywebsite.net.crt

    cp mywebsite.net.crt /usr/local/atmail/mailserver/ssl/cert/

    Set the file names in the Admin GUI, restart the Atmail services, you should be good to go.