We are using Dovecot for IMAP/POP3 (receiving mails) and exim4 for SMTP (sending mails). Both server applications should support TLS for client to server and server to server transfer to occur encrypted and secure. Thus, we first need an SSL/TLS certificate for our mail server domain
mail.liberale-demokraten.de. Please follow the following steps to achieve that:
Now, we have obtained a valid SSL/TLS certificate from Let's Encrypt and vesta will automatically update the certificate before expiry. However, we are not done yet. We need to copy the certificates to another location and set the ownership and permissions accordingly. To do so, go through the following steps:
mail.keywith the same permissions as for
certificate.keythere (just copy, paste and modify)
./v-update-host-certificatein the shell
To ensure the so called Forward Secrecy, we will need to utilize DH params. That means that we first have to generate it. To do so, follow these steps:
openssl dhparam -out /usr/local/vesta/ssl/dhparam.pem 4096
We are done as far as the preperations go. Now, we have to configure dovecot and exim.
Go to the control panel and enter the server settings on the top of the screen. Now search for dovecot and press the "configure" button. Seach for the editable file ending to
ssl.conf and enter the following:
ssl = yes ssl_cert = </usr/local/vesta/ssl/mail.crt ssl_key = </usr/local/vesta/ssl/mail.key ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_prefer_server_ciphers = yes ssl_dh = </usr/local/vesta/ssl/dhparam.pem
Go to the control panel and enter the server settings on the top of the screen. Now search for exim and press the "configure" button. Now search for "tls_" and modify the settings as follows:
tls_advertise_hosts = * tls_certificate = /usr/local/vesta/ssl/mail.crt tls_privatekey = /usr/local/vesta/ssl/mail.key # tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 tls_dhparam = /usr/local/vesta/ssl/dhparam.pem
Note that exim in Debian comes with GnuTLS as per default instead of with OpenSSL. So we cannot modify alot, unfortunately. Especially as GnuTLS tends to be buggy. If it works, uncomment the
tls_require_ciphers part, but make sure you test sending and receiving emails afterwards.