The following documentation page describes enabling SSL for webserver Nginx and mailserver software Exim and Dovecot. This software combination is used by MailSuite Pro.

If you need to configure the product installation to ensure secure access to web interface, you'll need to reconfigure Nginx for that.

This article also covers configuring SSL on mail server level, Exim and Dovecot need to be setup to use SSL.

We use EFF's Certbot to deploy Let's Encrypt certificates:

sudo apt install certbot python3-certbot-nginx -y

Requesting the certificate:

sudo certbot certonly --nginx --webroot-path=/opt/afterlogic/html -d YOUR_DOMAINNAME_HERE

From here on, you need to replace YOUR_DOMAINNAME_HERE with the domain name you use. All the commands are to be run as superuser (root), with sudo prepended if necessary.

Configuring Nginx

Create /etc/nginx/sites-available/afterlogic-webmail-ssl file with the following content:

server {
        listen 80;
        server_name YOUR_DOMAINNAME_HERE;
        return 301 https://$host$request_uri;
}
    
server {
        listen 443 ssl http2;
        server_name YOUR_DOMAINNAME_HERE;
        root /opt/afterlogic/html;
    
index index.php index.html index.htm;
    
location ~ \.(php|phar)(/.*)?$ {
    fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
    
    fastcgi_intercept_errors on;
    fastcgi_index  index.php;
    include        fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  PATH_INFO $fastcgi_path_info;
    fastcgi_pass   php-fpm;
}
    
location ^~ /data/ { deny all; }
    
ssl_certificate /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem;
}

Run the following commands to apply changes:

ln -s /etc/nginx/sites-available/afterlogic-webmail-ssl /etc/nginx/sites-enabled/
service nginx restart

Configuring Exim

In /etc/exim4/exim4.conf file, uncomment the following lines:

tls_advertise_hosts = *
tls_on_connect_ports = 465 

Uncomment the following lines and supply the updated paths to certificate files:

tls_certificate=/opt/afterlogic/etc/ssl-certs/fullchain.pem
tls_verify_certificates=/opt/afterlogic/etc/ssl-certs/fullchain.pem
tls_privatekey=/opt/afterlogic/etc/ssl-certs/privkey.pem

While Nginx and Dovecot work correctly with symlinks to certificate files, Exim has known issues with that. To work around that, we'll be using Certbot's deploy hooks. In /etc/letsencrypt/renewal-hooks/deploy/ directory, create a script called, for example, clone.sh with the following content

#!/bin/bash
cp -L /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem /opt/afterlogic/etc/ssl-certs/
cp -L /etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem /opt/afterlogic/etc/ssl-certs/
chown afterlogic:afterlogic -R /opt/afterlogic/etc/ssl-certs/

Create /opt/afterlogic/etc/ssl-certs/ directory if it doesn't exist yet, make the script executable, run it and restart Exim:

mkdir -p /opt/afterlogic/etc/ssl-certs/
chmod a+x /etc/letsencrypt/renewal-hooks/deploy/clone.sh
/etc/letsencrypt/renewal-hooks/deploy/clone.sh
service exim4 restart

Configuring Dovecot

Modify /etc/dovecot/conf.d/10-ssl.conf file as follows:

ssl = yes
ssl_cert = </etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/fullchain.pem
ssl_key = </etc/letsencrypt/live/YOUR_DOMAINNAME_HERE/privkey.pem

Apply changes:

service dovecot restart