VestaCP SSL for mail server
VestaCP install self signed SSL for mail server by default. To install valid SSL, login to VestCP, go to sites. You will see a site with your sites hostname. If you don’t see it, create a site with your server hostname. Make sure DNS edited so hostname resolve to server IP. Now you should be able to get free LetsEncrypt SSL for this site.
if you check Apache Virtual Host for the site, you will see someting like
1 2 3 |
SSLCertificateFile /home/admin/conf/web/ssl.HOSTNAME.crt SSLCertificateKeyFile /home/admin/conf/web/ssl.HOSTNAME.key SSLCertificateChainFile /home/admin/conf/web/ssl.HOSTNAME.ca |
In VeataCP the config files for exim and dovecot located at
1 2 |
/etc/exim4/exim4.conf.template /etc/dovecot/conf.d/10-ssl.conf |
These configs use SSL located at /usr/local/vesta/ssl/certificate.crt and /usr/local/vesta/ssl/certificate.key.
To use the FREE SSL, create a bash script.
1 2 |
mkdir /usr/serverok/ vi /usr/serverok/ssl-renew-hostname |
Add
1 2 3 4 5 6 7 8 9 10 11 12 |
#!/bin/bash # Author: ServerOk Software # Web: www.serverok.in # Email: [email protected] cat /home/admin/conf/web/ssl.HOSTNAME.crt > /usr/local/vesta/ssl/certificate.crt cat /home/admin/conf/web/ssl.HOSTNAME.ca >> /usr/local/vesta/ssl/certificate.crt cat /home/admin/conf/web/ssl.HOSTNAME.key > /usr/local/vesta/ssl/certificate.key systemctl restart apache2 systemctl restart exim4 systemctl restart dovecot /usr/local/vesta/nginx/sbin/vesta-nginx -s reload |
make the file executable
1 |
chmod 755 /usr/serverok/ssl-renew-hostname |
Run the script
1 |
/usr/serverok/ssl-renew-hostname |
Now SSL will work for mail server and VestaCP. To access VestaCP, use
1 |
https://HOSTNAME:8083/login/ |
Verify Mail Server SSL
You can view mail server SSL with command
1 2 3 |
openssl s_client -showcerts -connect HOSTNAME:993 openssl s_client -showcerts -connect HOSTNAME:465 openssl s_client -starttls smtp -showcerts -connect HOSTNAME:587 |
Replace HOSTNAME with actual hostname of your server.
Auto Renew SSL
LetsEncrypt SSL expire every 90 days. So we will create a cronjob to auto renew SSL. Ff you have a paid SSL, you don’t need this cronjob
Create a cronjob with
1 |
crontab -e |
Add
1 |
@weekly /usr/serverok/ssl-renew-hostname > /dev/null 2>&1 |
Related Posts