In vesta CP. in order to automate the process of having correct starttls / SSL certificates for all domains and tho having thunderbird autoconfiguration and other mail clients to catch the mail settings without warrnings or errros we need to enable wildcard * for our domains, so letsencrypt can issue a wildcard certificate and we will avoid creating a new website for smtp.domain.com mail.domain.com pop.domain.com mail.domain.com one by one or add these subdomains as aliases for the website.
[ Note that i moved to HestiaCP which is a fork of vestacp and partly, take cares of that out of the box ]
But first Both dovecot and exim4 need to be reconfigured in order to work for all of your domains, assuming you host more than one that use the mail server.
If you are on a fresh vestacp install go to step #2
Step 1. Edit exim4 config.
do a
# sudo nano /etc/exim4/exim4.conf.template
and change the old tls_certificate tls_privatekey to look like this:
tls_advertise_hosts = *
tls_certificate = ${if exists{/etc/mailcerts/ssl.${tls_sni}.crt}{/etc/mailcerts/ssl.${tls_sni}.crt}{/usr/local/vesta/ssl/certificate.crt}}
tls_privatekey = ${if exists{/etc/mailcerts/ssl.${tls_sni}.key}{/etc/mailcerts/ssl.${tls_sni}.key}{/usr/local/vesta/ssl/certificate.key}}
In gray is whatever u had as a ‘default’ domain before, if u never touched exim4 config before just ignore that dont edit that at all, just follow step 2
Step 2: Edit VestaCP ssl script:
nano /usr/local/vesta/bin/v-add-web-domain-ssl
And find the lines where cp -f ends and insert the following code:
# Make it easy for exim/dovecot
line_old='tls_certificate = /usr/local/vesta/ssl/certificate.crt'
line_new='tls_certificate = ${if exists{/etc/mailcerts/ssl.${tls_sni}.crt}{/etc/mailcerts/ssl.${tls_sni}.crt}{/usr/local/vesta/ssl/certificate.crt}}'
sed -i "s%$line_old%$line_new%g" /etc/exim4/exim4.conf.template_test
line_old='tls_privatekey = /usr/local/vesta/ssl/certificate.key'
line_new='tls_privatekey = ${if exists{/etc/mailcerts/ssl.${tls_sni}.key}{/etc/mailcerts/ssl.${tls_sni}.key}{/usr/local/vesta/ssl/certificate.key}}'
sed -i "s%$line_old%$line_new%g" /etc/exim4/exim4.conf.template_test
mkdir -p /etc/mailcerts
chmod 744 /etc/mailcerts
cp -f $HOMEDIR/$user/conf/web/ssl.$domain.key /etc/mailcerts/ssl.$domain.key
rm /etc/mailcerts/ssl.$domain.crt
cat $HOMEDIR/$user/conf/web/ssl.$domain.crt $HOMEDIR/$user/conf/web/ssl.$domain.pem > /etc/mailcerts/ssl.$domain.crt
# imap/smtp symolic links
ln -s /etc/mailcerts/ssl.$domain.key /etc/mailcerts/ssl.imap.$domain.key
ln -s /etc/mailcerts/ssl.$domain.crt /etc/mailcerts/ssl.imap.$domain.crt
ln -s /etc/mailcerts/$domain.key /etc/mailcerts/ssl.smtp.$domain.key
ln -s /etc/mailcerts/$domain.crt /etc/mailcerts/ssl.smtp.$domain.crt
ln -s /etc/mailcerts/$domain.key /etc/mailcerts/ssl.mail.$domain.key
ln -s /etc/mailcerts/$domain.crt /etc/mailcerts/ssl.mail.$domain.crt
chown Debian-exim:Debian-exim /etc/mailcerts
chown Debian-exim:Debian-exim /etc/mailcerts/*
chmod 644 /etc/mailcerts/*
#update dovecot
if [ -f "/etc/mailcerts/ssl.$domain.crt" ]; then
echo "# $domain + imap. added by vesta " >> /etc/dovecot/dovecot.conf
echo "local_name $domain {" >> /etc/dovecot/dovecot.conf
echo " ssl_cert = </etc/mailcerts/ssl.$domain.crt" >> /etc/dovecot/dovecot.conf
echo " ssl_key = </etc/mailcerts/ssl.$domain.key" >> /etc/dovecot/dovecot.conf
echo "}" >> /etc/dovecot/dovecot.conf
echo "local_name imap.$domain {" >> /etc/dovecot/dovecot.conf
echo " ssl_cert = </etc/mailcerts/ssl.imap.$domain.crt" >> /etc/dovecot/dovecot.conf
echo " ssl_key = </etc/mailcerts/ssl.imap.$domain.key" >> /etc/dovecot/dovecot.conf
echo "}" >> /etc/dovecot/dovecot.conf
echo "# end domain " >> /etc/dovecot/dovecot.conf
fi
service dovecot restart By now we prepared the configuration but there are no any certificates for subdomains such as imap. or mail.domain.tld or whatever the generic mail clients trying to autoconfigure… so we will need to issue these certificates.
Or: we can use the mail domains of interest as aliases, so we will get the certificates that will suport these, eg. see the pic.
We can do that being sure that there are A records for each subdomain, or that:
Now after you make sure that you got the certificates and they work okay,
And you can open www. or imap or mail.domain.com in browser with https without problems… then you are in the right direction to add a starttls/ssl support on the mail clients…
In case you want to add just a wildcard insert in aliases *.domain.com and go into DNS and add an A record to the IP of the server and instead of a subdomain just type in the * symbol.
at least: check they work okay
testing dovecot: openssl s_client -showcerts -connect 127.0.0.1:995 -servername imap.domain.com
testing exim4: openssl s_client -connect 127.0.0.1:25 -starttls smtp -servername smtp.domain.com