Aurora Corporate documentation

Configuring SSL for Nginx, Exim and Dovecot

The following documentation page describes enabling SSL for webserver Nginx and mailserver software Exim and Dovecot. This software combination is used by Aurora Corporate.

If you need to configure the product installation to ensure secure access to web interface, you'll need to reconfigure Nginx for that.

This article also covers configuring SSL on mail server level, Exim and Dovecot need to be setup to use SSL.

We use EFF's Certbot to deploy Let's Encrypt certificates:

sudo apt install certbot -y

Requesting the certificate:

sudo certbot certonly --webroot-path=/opt/afterlogic/html/ -d YOUR_DOMAINNAME_HERE

From here on, you need to replace YOUR_DOMAINNAME_HERE with the domain name you use.

Configuring Nginx

Create /etc/nginx/sites-available/afterlogic-webmail-ssl file with the following content:

server {
        listen 80;
        server_name YOUR_DOMAINNAME_HERE;
        return 301 https://$host$request_uri;
}
    
server {
        listen 443 ssl http2;
        server_name YOUR_DOMAINNAME_HERE;
        root /opt/afterlogic/html;
    
index index.php index.html index.htm;
    
location ~ \.(php|phar)(/.*)?$ {
    fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
    
    fastcgi_intercept_errors on;
    fastcgi_index  index.php;
    include        fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  PATH_INFO $fastcgi_path_info;
    fastcgi_pass   php-fpm;
}
    
location ^~ /data/ { deny all; }
    
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem;
}

Run the following commands to apply changes:

sudo ln -s /etc/nginx/sites-available/afterlogic-webmail-ssl /etc/nginx/sites-enabled/
sudo service nginx restart

Configuring Exim

In /etc/exim4/exim4.conf file, uncomment the following lines:

tls_advertise_hosts = *
tls_on_connect_ports = 465

Uncomment the following lines and supply your domain name there:

tls_certificate=/etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
tls_verify_certificates=/etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
tls_privatekey=/etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem

Run the following command to apply changes:

sudo service exim4 restart

NB: Currently, there's a known issue with Exim accessing certificate files over symlinks. To work around that, try pointing Exim to files in archive/ directory rather than live/, for example:

tls_certificate=/etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/fullchain1.pem
tls_verify_certificates=/etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/fullchain1.pem
tls_privatekey=/etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/privkey1.pem

and change permissions as follows:

chown afterlogic:afterlogic -R /etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/

Configuring Dovecot

Modify /etc/dovecot/conf.d/10-ssl.conf file as follows:

ssl = yes
ssl_cert = </etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
ssl_key = </etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem

Apply changes:

sudo service dovecot restart