3.7.4 Connecting a certificate to the mail server

Image Email security and protection of personal information is very important in today’s world. Using SSL/TLS certificates for encrypting mail traffic ensures confidentiality and protection from data interception during email transmission.

Mail servers Exim4 and Dovecot are popular solutions for organizing mail infrastructure on Linux systems. Exim4 is responsible for sending and routing messages (SMTP), while Dovecot provides access to mailboxes through IMAP/POP3 protocols.

Important: before making changes to the configuration, be sure to create backup copies of standard certificate files and configuration. Make sure You have up-to-date certificate files, certificate chain, and private key.

Prerequisites

To set up a secure connection for Your mail server, You need to order a certificate for the mail domain mail.Domain_Name.com and activate it.

After activation, before installing the SSL certificate, make sure You have successfully passed the validation of the certificate and have the following files “in hand”:

  • Certificate. Sent to the administrator’s email after successful validation. Usually named Your_domain.crt.
  • Certificate chain. Sent to the administrator’s email after successful validation. Chain names may differ slightly, usually it’s: USERTrust_RSA_Certification_Authority or CA_Bundle. Sometimes the chain may come as two files, for example Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt and USERTrust_RSA_Certification_Authority.crt. In this case, the actual chain is the content of these two files added together, in that exact order.
  • Secret (private) key. Generated together with CSR, during the ordering or SSL generation stage. This is confidential information that is strictly forbidden to share with third parties.
Question: where can I find the secret (private) key of my SSL certificate ordered from TheHost?

If the SSL certificate was ordered from us, You can find the secret key in the billing panel, in the SSL certificates section. Select the desired certificate with a mouse click and press Edit in the top right. In one of the sections of the pop-up window, You will be able to see the secret key:

Secret key in billing

Configuring SSL/TLS for Exim4

Information: certificate files may have a different path, You can check this in the configuration file /etc/exim4/exim4.conf.template. The path to certificate files is contained in the lines:

tls_certificate = /etc/exim4/ssl/exim.crt

tls_privatekey = /etc/exim4/ssl/exim.key

1. On Your server, switch to root user, in the File Manager navigate to the certificates directory /etc/exim4/ssl

2. Find the certificate file /etc/exim4/ssl/exim.crt and replace the standard content with Your purchased SSL files. You need to replace sequentially first the certificate file and then immediately the chain file. Avoid extra spaces at the end or beginning.

Certificate

After this, open the private key file /etc/exim4/ssl/exim.key and replace the content with Your private key file.

Key

3. Restart the Exim4 service from the control panel or via SSH.

  1. sudo service exim4 restart

Configuration for Dovecot

Information: certificate files may have a different path, You can check this in the configuration file /etc/dovecot/conf.d/10-ssl.conf. The path to certificate files is contained in the lines:

ssl_cert = /etc/ssl/certs/dovecot.pem

ssl_key = /etc/ssl/private/dovecot.pem

1. For Dovecot, You need to configure the certificate file /etc/ssl/certs/dovecot.pem and private key /etc/ssl/private/dovecot.pem.

2. Replace the certificate content in the file /etc/ssl/certs/dovecot.pem with Your purchased SSL files. You need to replace sequentially first the certificate file and then immediately the chain file. Avoid extra spaces at the end or beginning.

Certificate

After this, open the private key file /etc/ssl/private/dovecot.pem and replace the content with Your private key file.

Key

3. Restart the Dovecot service from the control panel or via SSH.

  1. sudo service dovecot restart

Checking the Settings

Information: after configuration, it is recommended to check:

  • Functionality of sending emails through SMTP with encryption.
  • Ability to connect to IMAP/POP3 through secure connection.
  • Certificate validity using specialized tools.

Checking SSL/TLS Connection

  1. Checking Exim4 certificate (SMTP) with STARTTLS support:
  1. openssl s_client -connect s1.thehost.com.ua:25 -starttls smtp

Expected response should contain information about the certificate and SSL/TLS connection:

CONNECTED(00000003)
depth=2 ...
verify return:1
---
Certificate chain
...
SSL handshake has read ... bytes and written ... bytes
---
New, TLSv1.2, Cipher is ...
  1. Checking Dovecot certificate (IMAP) with STARTTLS support:
  1. openssl s_client -connect s1.thehost.com.ua:143 -starttls imap

Expected response should also contain details about SSL/TLS connection:

CONNECTED(00000003)
depth=2 ...
verify return:1
---
Certificate chain
...
SSL handshake has read ... bytes and written ... bytes
---
New, TLSv1.2, Cipher is ...

In both cases, successful connection will confirm that SSL/TLS is working correctly on the mail server.

Checking Logs

You can view Exim4 logs using SSH command or through the file manager.

  1. tail -n 1000 /var/log/exim4/mainlog

Important: due to web interface limitations of the file manager, large log files may not open completely. We recommend downloading them to Your local computer and viewing them using a text editor.