MailSuite Pro documentation

Configuring SSL for Nginx, Exim and Dovecot

The following documentation page describes enabling SSL for webserver Nginx and mailserver software Exim and Dovecot. This software combination is used by MailSuite Pro.

If you need to configure the product installation to ensure secure access to web interface, you'll need to reconfigure Nginx for that.

This article also covers configuring SSL on mail server level, Exim and Dovecot need to be setup to use SSL.

Create private server key and certificate signing request

First, create the private server key:

sudo openssl genrsa -out server.key 2048

Next, create a certificate signing request:

sudo openssl req -new -key server.key -out server.csr

You will be asked for lists of fields that need to be filled in.

The most important field is "Common Name". Enter your domain name here or your site's IP address. You may leave the challenge password and optional company name blank.

Sign your SSL certificate

Certificates from CA (Certificate Authorities)

Now you have to sign your certificate.

Usually, an SSL certificate issued by a third party. It provides privacy and security between two computers on a public network by encrypting traffic. CA may issue you a SSL certificate that verify the organizational identity (company name), location, and server details.

In that case, you should go to the one of CA's site and order it.

Important note

When using CA Bundle certificates, just append the extra certificates into your .crt file. Your own certificate needs to be on top of the file.

Self-signed certificates

Alternatively, you can use self-signed certificates. Creating your own self-signed SSL certificate is a quick way to add SSL encryption. Though the certificate implements full encryption, visitors of your site will see a browser warning indicating that the certificate should not be trusted.

To generate the self-signed certificate which is good for 365 days, issue the following command:

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Set up the certificate

Copy server.key and server.crt files to /opt/afterlogic/ssl/certs directory.

Configure web server

Update Nginx configuration by including the new signed certificate and private key at /opt/afterlogic/etc/nginx/sites-enabled/localhost configuration file:

# WEB SSL
server {
    listen 443 ssl;

    root html;
    server_name YOUR_DOMAINNAME_HERE;

    ssl_certificate     /opt/afterlogic/ssl/certs/server.crt;
    ssl_certificate_key /opt/afterlogic/ssl/certs/server.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    include "nginx.inc.webmail.conf";
}

# DAV
server {
    listen 8008 ssl;
    listen 443 ssl;

    root html/dav;
    server_name YOUR_DAV_DOMAINNAME_HERE;

    ssl_certificate     /opt/afterlogic/ssl/certs/server.crt;
    ssl_certificate_key /opt/afterlogic/ssl/certs/server.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    include "nginx.inc.dav.conf";
}

Force HTTPS

To make sure users can only access the installation via HTTPS modify /opt/afterlogic/etc/nginx/sites-enabled/localhost configuration file as follows:

# WEBMAIL
server {
    listen 80;

    root html;
    server_name YOUR_DOMAINNAME_HERE;
    rewrite ^(.*) https://$server_name$request_uri? permanent;

    include "nginx.inc.webmail.conf";
}

Alternately, you can force the use of HTTPS by setting the following option in data/settings/settings.xml file:

<RedirectToHttps>On</RedirectToHttps>

Restart web server

Restart Nginx web server:

sudo /opt/afterlogic/etc/init.d/nginx.rc reconfigure

Configure SMTP server

Supply paths to certificate and key in /opt/afterlogic/etc/exim.cnf file:

tls_certificate= /opt/afterlogic/ssl/certs/server.crt
tls_privatekey= /opt/afterlogic/ssl/certs/server.key

Restart server to apply changes:

/opt/afterlogic/etc/init.d/exim.rc restart

Configure IMAP server

In /opt/afterlogic/etc/dovecot/conf.d/10-ssl.conf file, replace:

ssl = no

with:

ssl = yes

and add the following lines:

ssl_cert = /opt/afterlogic/ssl/certs/server.crt
ssl_key = /opt/afterlogic/ssl/certs/server.key

Restart server to apply changes:

/opt/afterlogic/etc/init.d/dovecot.rc restart