The following documentation page describes enabling SSL for webserver Nginx and mailserver software Exim and Dovecot. This software combination is used by Aurora Corporate.
If you need to configure the product installation to ensure secure access to web interface, you'll need to reconfigure Nginx for that.
This article also covers configuring SSL on mail server level, Exim and Dovecot need to be setup to use SSL.
We use EFF's Certbot to deploy Let's Encrypt certificates:
sudo apt install certbot -y
Requesting the certificate:
sudo certbot certonly --webroot-path=/opt/afterlogic/html/ -d YOUR_DOMAINNAME_HERE
From here on, you need to replace YOUR_DOMAINNAME_HERE
with the domain name you use.
Configuring Nginx
Create /etc/nginx/sites-available/afterlogic-webmail-ssl
file with the following content:
server {
listen 80;
server_name YOUR_DOMAINNAME_HERE;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name YOUR_DOMAINNAME_HERE;
root /opt/afterlogic/html;
index index.php index.html index.htm;
location ~ \.(php|phar)(/.*)?$ {
fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
fastcgi_intercept_errors on;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php-fpm;
}
location ^~ /data/ { deny all; }
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem;
}
Run the following commands to apply changes:
sudo ln -s /etc/nginx/sites-available/afterlogic-webmail-ssl /etc/nginx/sites-enabled/
sudo service nginx restart
Configuring Exim
In /etc/exim4/exim4.conf
file, uncomment the following lines:
tls_advertise_hosts = *
tls_on_connect_ports = 465
Uncomment the following lines and supply your domain name there:
tls_certificate=/etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
tls_verify_certificates=/etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
tls_privatekey=/etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem
Run the following command to apply changes:
sudo service exim4 restart
NB: Currently, there's a known issue with Exim accessing certificate files over symlinks. To work around that, try pointing Exim to files in archive/
directory rather than live/
, for example:
tls_certificate=/etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/fullchain1.pem
tls_verify_certificates=/etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/fullchain1.pem
tls_privatekey=/etc/letsencrypt/archive/YOUR_DOMAINNAME_HERE/privkey1.pem
and change permissions as follows:
chown afterlogic:afterlogic -R /etc/letsencrypt/archive/
Configuring Dovecot
Modify /etc/dovecot/conf.d/10-ssl.conf
file as follows:
ssl = yes
ssl_cert = </etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
ssl_key = </etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem
Apply changes:
sudo service dovecot restart