Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » mailcleaner_ssl
Trace: exchange_list_users exchange_find_alias exchange_shared_mbx exchange_disclaimer mailcleaner_ssl
internet:mail:mailcleaner_ssl

This is an old revision of the document!

Table of Contents

MailCleaner LetsEncrypt Free SSL

https://letsencrypt.org/

Install certbot

:!: MailCleaner may use a very old Debian base OS that has no certbot package. 

wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto

Single Server

Follow this howto:

https://opensource.com/article/20/6/secure-open-source-antispam

MailCleaner Cluster

MailCleaner clusters treat SSL certificates as a cluster resource synchronized to all cluster servers. This means you need a wildcard SSL certificate for a MailCleaner cluster.
LetsEncrypt wildcard SSL certificates require you use a DNS-01 challenge.

https://letsencrypt.org/docs/challenge-types/

DNS-01 Howto

FIXME Needs verification!

Scripts

You will need to create a couple of scripts.

The set-certificate.pl script is used to apply the LE cert after it is acquired. 

wget https://gist.github.com/victorlclopes/f5aa081f1a9c76466aaf3f3dc5bd60b7/raw/c97a1400bb30e4439622b089f146b8cb8dc886b7/set-certificate.pl -O /usr/local/bin/set-certificate.pl
chmod +x /usr/local/bin/set-certificate.pl

The deploylecert.sh script must be edited and is called from cron during certificate renewals. It just calls the generic set-certificate.pl script with your details. 

cat << EOF > /usr/local/bin/deploylecert.sh
#!/bin/sh
#
/usr/local/bin/set-certificate.pl --set_web --set_mta_in --set_mta_out \
 --key /etc/letsencrypt/live/yourtopleveldomain.tld/privkey.pem \
 --data /etc/letsencrypt/live/yourtopleveldomain.tld/cert.pem \
 --chain /etc/letsencrypt/live/yourtopleveldomain.tld/chain.pem
EOF
chmod +x /usr/local/bin/deploylecert.sh

Get the Certificate

:!: We use the manual plugin and the DNS-01 challenge.

Use staging servers for testing without limits: 

certbot-auto certonly --manual --preferred-challenges dns \
 --email you@youremailaddress.tld --no-eff-email --agree-tos --staging \
 --debug-challenges -d \*.yourtopleveldomain.tld -d yourtopleveldomain.tld

Use primary servers (not staging) to get the actual cert: 

certbot-auto certonly --manual --preferred-challenges dns \
 --email you@youremailaddress.tld --no-eff-email --agree-tos \
 --debug-challenges -d \*.yourtopleveldomain.tld -d yourtopleveldomain.tld \
 --pre-hook "/usr/mailcleaner/etc/init.d/apache stop" \
 --post-hook "/usr/mailcleaner/etc/init.d/apache start"
You will have to add a DNS TXT record for each domain specified, two in this case. Wait for enough time for your DNS TXT records to populate on all your DNS servers. I'd wait a full minute or more before continuing.

List the Certificate

ls /etc/letsencrypt/live/yourtopleveldomain.tld/

Install the Certificate

This command installs the new cert for MailCleaner (HTTPS and SMTP STARTTLS): 

/usr/local/bin/set-certificate.pl --set_web --set_mta_in --set_mta_out \
 --key /etc/letsencrypt/live/yourtopleveldomain.tld/privkey.pem \
 --data /etc/letsencrypt/live/yourtopleveldomain.tld/cert.pem \
 --chain /etc/letsencrypt/live/yourtopleveldomain.tld/chain.pem

Renew the Certificate

We don't use the certbot renew function because it doesn't work with DNS-01 (manual).
We must either renew manually, adding a new _acme-challenge TXT record each time, or use a DNS provider with a supported API.
Use exactly the same domain names as when the original cert was created or another cert will be created instead of renewing the existing one.
–keep will not renew the cert until it has 30 days or less to expire (i.e. after 60 days)
–force-renewal will force the renewal and is subject to rate limitations

Check and renew cert if it has less than 30 days until expiry:

FIXME 

/usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh

Force cert renewal: 

/usr/local/bin/certbot-auto certonly --manual --force-renewal --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh

Once the cert is installed and tested on the master MailCleaner server, sync the SSL cert to the MailCleaner slaves. Do this at the slave. This command runs nightly anyway, so if your current cert has not expired, you can omit this step for now. 

/root/Updater4MC/updater4mc.sh

Cron

Schedule a nightly renewal check every Sunday at 2:00am: 

crontab -e

Append this line: 

0 2 * * 7 /usr/local/bin/certbot-auto certonly --manual --keep --manual-public-ip-logging-ok --preferred-challenges=dns -d 'yourtopleveldomain.tld,*.yourtopleveldomain.tld' --deploy-hook /usr/local/bin/deploylecert.sh

Testing

Test the HTTPS cert from most any Linux machine: 

openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:443 -servername mailcleanermaster.yourtopleveldomain.tld < /dev/null

Test the inbound SMTP cert: 

openssl s_client -connect mailcleanermaster.yourtopleveldomain.tld:25 -starttls smtp < /dev/null

Helpful Commands

See also certbot User Guide

List LE certificates: 

certbot-auto certificates

Delete a cert you don't need: 

certbot delete --cert-name certname.yourtopleveldomain.tld
internet/mail/mailcleaner_ssl.1623961848.txt.gz · Last modified: 2021/06/17 14:30 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki