Monday, 1 July 2013

Secure imap, pop3 and smtp on a plesk server

One of the most annoying things I find with Plesk is the total lack of gui options to change the email ssl certificates. To add a proper validated cert to your mail services you have to go digging around in the terminal and the help from Plesk seems to be none existent.

This little walk through assumes you are using a cert that needs an intermediate certificate. I don't know how to say for sure if you need one or not but try this without the TLS_TRUSTCERTS bits and see if it works. If not (ie, if you cert is not accepted by your mail client) try adding the bits you missed.

The easy bit (realively) is to replace the cert for smtp. Depending on your MTA you either need to replace /var/qmail/control/servercert.pem or /etc/postfix/postfix_default.pem. 'mv' the existing file out of the way and then use 'vi' to create a new one. Paste your private key followed by your certificate and save. The .pem file should look like this (but with more lines of key where the ... bits are);

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCYFeAgFta7B8eD
...
pZ/OF1TI4tew/CTW8SWIIik=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEtDCCA5ygAwIBAgISESFuFiBSDkFktSUNNJgN861dMA0GCSqGSIb3DQEBBQUA
...
urb3UARrqL8=
-----END CERTIFICATE-----

 Next we start on imap/pop3. Start by checking /etc/courrierimap/imapd-ssl and  /etc/courrierimap/pop3d-ssl config file and check where TLS_CERTFILE points to. Whilst you are there it's worth checking TLS_TRUSTCERTS too. On my install they were next to each other in the file. If TLS_TRUSTCERTS is commented out or has no value I would suggest setting it to the same path as TLS_CERTFILE but with a cert called trustcert.pem maybe. If it helps, it was all at around line 140-160 for me. Remember to check both files or one service will work and the other will remain broken.







next you need to backup your current .pem files (just in case).

cd /usr/share/courier-imap/
mv imapd.pem imapd.pem.001
mv pop3d.pem pop3d.pem.001
mv trustcerts.pem trustcerts.pem.001

Next create your new .pem file

vi imapd.pem

paste your private key followed by your certificate so you get something like you did for the smtp bit above. Save and exit vi.
The imapd.pem and pop3d.pem have exactly the same content so create 1 and then copy it to the other.

cp imapd.pem pop3d.pem

Next you need to add your intermediate certificate. For me this seemed to be the second part of the CA certificate as listed in plesk's ssl cert control panel. In my example there were 2 certs in there, it was the second one that worked. So vi trustcerts.pem and paste the cert (including the begin and end tags). save and exit vi when you are done.

Finally restart all the services that you have changed. Something like this should do;

 /etc/init.d/xinetd restart
/etc/init.d/courier-imap restart

 Test with your choice of mail client configured to use ssl.

Posted by at

3 comments:

  1. aaronnssd22 December 2020 at 19:53

    Great job for publishing such a nice article. Your article isn’t only useful but it is additionally really informative. Thank you because you have been willing to share information with us.Email Marketing Services For Small Business

    ReplyDelete
  2. Laura Bush12 March 2021 at 09:24

    This is a well-researched article which you have shared here. This is a very informative and useful article. This type of advice is not easy to find, so thanks for this information. Free Email Finder

    ReplyDelete
  3. accurateaz30 July 2021 at 06:50

    You've provided some very useful information about Bulk Mailing Services Near Me. I'm glad I came into this article because it provides a lot of important information. Thank you for sharing this article with us.

    ReplyDelete

Subscribe to: Post Comments (Atom)