How can we help?




Follow

How to configure certificates for HTTPS, IMAP, POP3, and SMTP

Steve -

PROBLEM

The pre-installed self-signed certificates are not trusted by the browser.  Where do I add my own trusted certificates?  

ENVIRONMENT

  • atmail suite 
  • atmail mail server

CAUSE

Certificates used during installation are self singed certificates. 

RESOLUTION

A new certificate will need to be generated or purchased.  The same certificate can be used for IMAP, POP, HTTPS, and SMTP.  Please save this certificate on the server and follow this guide to configure the appropriate applications to use the new certificate.  For the sake of this guide, we will assume that the new key is called new-cert.key and new-cert.pem

Nginx certificate setup (webmail)

  1. Open the nginx config file. 
    vi /etc/nginx/conf.d/atmail.conf 
    The default config should look similar to this.
    server {
    
            listen 443 http2 ssl;
    
            server_name _;
    
            error_log /var/log/nginx/atmail_error;
            access_log /var/log/nginx/atmail_access;
    
            gzip on;
            gzip_types text/plain application/xml application/json application/javascript text/css;
    
            ssl_certificate_key  /etc/pki/nginx/private/atmail.key;
            ssl_certificate      /etc/pki/nginx/certs/atmail.pem;
    #       ssl_trusted_certificate /etc/pki/nginx/certs/letsencrypt_ca.pem;
    ...
    Edit the the ssl_certificate_key and ssl_certificate to point to your certificates.
    ssl_certificate_key /etc/pki/nginx/private/new-cert.key; 
    ssl_certificate /etc/pki/nginx/certs/new-cert.pem;

  2. Open the atmail DAV config file. 
    vi /etc/nginx/conf.d/atmail-dav.conf 
    The default config should look similar to this.
    server {
    listen 0.0.0.0:8008;
    listen 0.0.0.0:8443 ssl;

    server_name _;
    keepalive_timeout 10;
    error_log /var/log/nginx/dav_errors.log;

    root /usr/share/atmail/dav/html/;
    index server.php;

    rewrite ^/.well-known/caldav /calendars redirect;
    rewrite ^/.well-known/carddav /addressbooks redirect;

    location / {
    try_files $uri $uri/ /server.php?$args;
    }

    client_max_body_size 100M;

    ssl_certificate /etc/pki/nginx/certs/atmail.pem;
    ssl_certificate_key /etc/pki/nginx/private/atmail.key;
    ...

    Edit the the ssl_certificate_key and ssl_certificate to point to your certificates.

    ssl_certificate_key /etc/pki/nginx/private/new-cert.key; 
    ssl_certificate /etc/pki/nginx/certs/new-cert.pem;
  3. Place the new certificate key for nginx in the /etc/pki/nginx/private and change its ownership:
    chown root:nginx /etc/pki/nginx/private/new-cert.key
  4. Now change its permissions.
    chmod 0640 /etc/pki/nginx/private/new-cert.key
  5. Place the new certificate pem file in the /etc/pki/nginx/certs directory and change its ownership:
    chown root:root /etc/pki/nginx/certs/new-cert.pem
  6. Now change its permissions.
    chmod 0444 /etc/pki/nginx/certs/new-cert.pem
  7. Restart nginx and apiserver.
    systemctl restart nginx apiserver

 IMAP/POP setup

  1. Place the new certificate key for dovecot in the /etc/pki/dovecot/private directory and change its ownership:
    chown root:root /etc/pki/dovecot/private/new-cert.key
  2.  Now change its permissions.
    chmod 0640 /etc/pki/dovecot/private/new-cert.key
  3. Place the new certificate pem file for dovecot in the /etc/pki/dovecot/certs directory and change its ownership.
    chown root:root /etc/pki/dovecot/certs/new-cert.pem
  4. Now change its permissions.
    chmod 0444 /etc/pki/dovecot/certs/new-cert.pem
  5. In the admin portal, navigate to Services -> POP3/IMAP and add the paths to the certificate and key file.
    dovecot_cert_setup.png
  6. Click on Save settings and Publish config to save the changes

SMTP setup

  1. Make a private and certs directory in the exim directory,
    mkdir /etc/pki/exim/private /etc/pki/exim/certs
  2. Place the new certificate key for exim in the /etc/pki/exim/private directory and change its ownership.
    chown root:exim /etc/pki/exim/private/new-cert.key
  3. Now change its permissions.
    chmod 0640 /etc/pki/exim/private/new-cert.key
  4. Place the new certificate pem for exim in the /etc/pki/exim/certs directory and change its ownership.
    chown root:root /etc/pki/exim/certs/new-cert.pem
  5. Now change its ownership.
    chmod 0444 /etc/pki/exim/certs/new-cert.pem
  6. In the admin portal, navigate to Services -> SMTP and add the paths to the certificate and key file
    exim_cert_setup.png
  7. Click on Save settings and Publish config to save the changes

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com