Using Letsencrypt certificate

Problems/questions regarding the MailCleaner configuration

Moderators: FlorianB, Pascal, bourgeois, mentor

JimD
Posts: 1
Joined: Sun Apr 03, 2016 2:39 pm
How did you hear about Mailcleaner: internet search

Using Letsencrypt certificate

Postby JimD » Thu Dec 29, 2016 4:54 pm

Hello.
We have Mailcleaner running on a virtual machine, and relaying emails to our mail server.
We used to buy wildcard certificates for our domains, and were using it to enable SSL in Mailcleaner too. We are now moving to Letsencrypt SSL certificates, which do not allow wildcards, and are issued for 3 months only.
I know how to manually introduce the certificate via the admin interface, but I would like to know if there is a way to set-up Mailcleaner so it automatically uses the last certificate (avoiding manual input).
Does anybody know how to use Mailcleaner and Letsencrypt ?

Thanks
JM
gadago
Posts: 17
Joined: Sat Feb 06, 2010 4:08 pm
How did you hear about Mailcleaner: work

Re: Using Letsencrypt certificate

Postby gadago » Mon Jan 02, 2017 12:18 pm

Hi Jim,

We are using Letsencrypt with MailCleaner.

Most of the standard LE clients seem to need a newer version of python to run, which MailCleaner doesn't have at the moment.

So, we used https://github.com/srvrco/getssl

It runs periodically on a different machine and copies the acme-challenge onto the primary mailcleaner to /opt/mailcleaner/www/user/htdocs/.well-known/acme-challenge

I then wrote a basic php script to update the certificates in the mailcleaner MySQL database for both http and mysql. Finally, restart the mailcelaner http and smtp services.

Hope this helps. PM me if you would like the php script I created.

Kind regards,
Gavin
User avatar
jeff
Posts: 38
Joined: Fri Sep 22, 2006 6:57 am
Location: Milwaukee, WI, USA
Contact:

Re: Using Letsencrypt certificate

Postby jeff » Fri Feb 03, 2017 5:37 pm

I'd be interested in any type of scripting that anyone is using to get letsencrypt working, even in a semi-automatic way, with Mailcleaner.
Thanks,
Jeff
User avatar
cercamon
Posts: 1
Joined: Fri May 19, 2017 8:37 am
How did you hear about Mailcleaner: googling around
Location: Switzerland
Contact:

Re: Using Letsencrypt certificate

Postby cercamon » Fri May 19, 2017 10:49 am

+1

Quite impossible to use certbot-auto.
So far I've been using https://gethttpsforfree.com which is ok, but quite hard to repeat every 3 months.
Thus every automated or semi-automated procedure to use LetsEncrypt on MC 2014 Server is very welcome.
FlorianB
Posts: 269
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Using Letsencrypt certificate

Postby FlorianB » Fri May 26, 2017 12:42 pm

Hello,
After release of the new version, we have some plan to support let's encrypt certificat too. It will certainly not be ready soon but it will be done.
Regards,
Florian
derdanilo
Posts: 34
Joined: Tue Jun 21, 2016 12:16 pm
How did you hear about Mailcleaner: Search

Re: Using Letsencrypt certificate

Postby derdanilo » Tue Oct 10, 2017 6:16 pm

gadago wrote:I then wrote a basic php script to update the certificates in the mailcleaner MySQL database for both http and mysql. Finally, restart the mailcelaner http and smtp services.
Hope this helps. PM me if you would like the php script I created.



Would you be so kind and post your script or a link to github or something so others can have access to the script as well? :)
Thanks!
User avatar
madhopsman
Posts: 28
Joined: Thu Feb 05, 2009 1:32 am

Re: Using Letsencrypt certificate

Postby madhopsman » Wed Dec 13, 2017 11:34 pm

I've been looking in to this as well. I was able to successfully replace the Apache SSL (externally generated and pushed via sFTP as PEM files, and changed the mailcleaner.conf_template under apache/sites) but this doesn't replace the certificate being used my EXIM. Can anyone point to the EXIM config line that defines the certificate and key path?

Update: I THINK I may have it resolved. I changed the path on the following variables:
tls_certificate = /path/to/certificate pem
tls_privatekey = /path/to/private key

in the following files located under /usr/mailcleaner/etc/exim:
exim_stage1.conf_template
exim_stage2.conf_template
exim_stage4.conf_template
kranzfr3d
Posts: 18
Joined: Sat Nov 18, 2017 10:16 pm
How did you hear about Mailcleaner: informing

Re: Using Letsencrypt certificate

Postby kranzfr3d » Tue Dec 19, 2017 12:58 pm

madhopsman wrote:mailcleaner.conf_template under apache/sites)
tls_certificate = /path/to/certificate pem
tls_privatekey = /path/to/private key
in the following files located under /usr/mailcleaner/etc/exim:
exim_stage1.conf_template
exim_stage2.conf_template
exim_stage4.conf_template


Hello madhopsman, hello everyone,

in MC2017 I cannot find the paths you mentioned.
I'm going to "inject" my certificates, too - because another server collects my certificates from letsencrypt with a powershell script.
After this, the pfx-file is splitted into private and public certificates.
But for now I'm stucked - how can I "inject" the certificate(s) into MC2017 on filelevel, to get working and displaying them successfully here:
Configuration --> SMTP --> TLS/SSL
and here:
Configuration --> Services --> Web interfaces

Please help me to get this working, the manual way does work for now :-)


gr33tz
User avatar
madhopsman
Posts: 28
Joined: Thu Feb 05, 2009 1:32 am

Re: Using Letsencrypt certificate

Postby madhopsman » Tue Dec 19, 2017 5:11 pm

kranzfr3d wrote:Hello madhopsman, hello everyone,

in MC2017 I cannot find the paths you mentioned.
I'm going to "inject" my certificates, too - because another server collects my certificates from letsencrypt with a powershell script.
After this, the pfx-file is splitted into private and public certificates.
But for now I'm stucked - how can I "inject" the certificate(s) into MC2017 on filelevel, to get working and displaying them successfully here:
Configuration --> SMTP --> TLS/SSL
and here:
Configuration --> Services --> Web interfaces

Please help me to get this working, the manual way does work for now :-)


gr33tz


AS far as finding the files, the exim templates should be where I mentioned in my post: /usr/mailcleaner/etc/exim. However, if you're not seeing them there, I suggest just doing a simple find to locate:

Code: Select all

find / -name exim_stage1.conf_template


To inject, I basically updated my PowerShell script on my Exchange server to connect via ssh and upload the files using plink. If you are using PowerShell 5.0 (not compatible with Exchange of ANY version), you can use the Posh-SSH modules instead. Push the files to a set location on MC2017 and update the exim and apache mailcleaner templates accordingly.

At this point, I'm not positive the certificates will show correctly in the Web UI by manually changing the template files as my certificate won't be renewing until February.
kranzfr3d
Posts: 18
Joined: Sat Nov 18, 2017 10:16 pm
How did you hear about Mailcleaner: informing

Re: Using Letsencrypt certificate

Postby kranzfr3d » Wed Dec 20, 2017 9:30 pm

Hi,

I must have searched in wrong folder - the files are stored in "/usr/mailcleaner/etc/exim". Sorry.
But it doesn't work.
I found the variables "tls_certificate" and "tls_privatekey" in files "exim_stage1.conf_template", exim_stage2.conf_template and exim_stage4.conf_template, where I changed them to /usr/mailcleaner/etc/exim/certs/Cert.crt and /usr/mailcleaner/etc/exim/certs/Cert.pkey - and yes, the files were stored there with permissions 755 :!:
EDIT: 777 does not make a difference

Before I rebooted the mc-vm, I changed in webbrowser the certificates to default-cert-values (self signed from installation) here:
Configuration --> SMTP --> TLS/SSL
and here:
Configuration --> Services --> Web interfaces

After the reboot the certifictes are self-signed, not my "injected" lets encrypt ones :cry:

Any ideas :?:


gr33tz


EDIT: typo
User avatar
madhopsman
Posts: 28
Joined: Thu Feb 05, 2009 1:32 am

Re: Using Letsencrypt certificate

Postby madhopsman » Thu Dec 21, 2017 5:26 am

kranzfr3d wrote:Hi,

I must have searched in wrong folder - the files are stored in "/usr/mailcleaner/etc/exim". Sorry.
But it doesn't work.
I found the variables "tls_certificate" and "tls_privatekey" in files "exim_stage1.conf_template", exim_stage2.conf_template and exim_stage4.conf_template, where I changed them to /usr/mailcleaner/etc/exim/certs/Cert.crt and /usr/mailcleaner/etc/exim/certs/Cert.pkey - and yes, the files were stored there with permissions 755 :!:
EDIT: 777 does not make a difference

Before I rebooted the mc-vm, I changed in webbrowser the certificates to default-cert-values (self signed from installation) here:
Configuration --> SMTP --> TLS/SSL
and here:
Configuration --> Services --> Web interfaces

After the reboot the certifictes are self-signed, not my "injected" lets encrypt ones :cry:

Any ideas :?:


gr33tz


EDIT: typo


I'm not sure exactly what you are doing wrong. I just tested again here, by switching the cert files that both Exim and Apache are pointed to, then restarted mailcleaner. Certs replaced for both HTTPS and SMTP SSL. Maybe just DON'T use the GUI? You shouldn't need to with this setup.

Anyhow, I've got everything configured so they all use the same cert+chain and key files. The PowerShell script uploads the certificate files to the location listed below, then restarts the mailcleaner services. Here's the workup of the configs I use:

Certificate file path: /usr/mailcleaner/etc/apache/certs/fullcert.pem <- Certificate and full chain
Certificate key path: /usr/mailcleaner/etc/apache/certs/privkey.pem <- Contains only the private key

/usr/mailcleaner/etc/apache/sites/mailcleaner.conf_template:

Code: Select all

...
    SSLCompression off

    SSLCACertificatePath __SRCDIR__/etc/apache/certs
    SSLCertificateFile __SRCDIR__/etc/apache/certs/fullchain.pem
    SSLCertificateKeyFile __SRCDIR__/etc/apache/certs/privkey.pem
__IFSSLCHAIN__  SSLCertificateChainFile  __SRCDIR__/etc/apache/certs/certificate-chain.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

    RewriteEngine On
   ...


/usr/mailcleaner/etc/exim/exim_stage1.conf_template:

Code: Select all

...
local_interfaces = <; ::0 ; 0.0.0.0

__IF__ USETLS
tls_advertise_hosts = *
tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
openssl_options = +no_sslv2 +no_sslv3
...


/usr/mailcleaner/etc/exim/exim_stage2.conf_template:

Code: Select all

...
smtp_accept_max = 0

__IF__ USETLS
tls_advertise_hosts = *
tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
openssl_options = +no_sslv2 +no_sslv3
...


/usr/mailcleaner/etc/exim/exim_stage4.conf_template:

Code: Select all

...
timeout_frozen_after = 1h

__IF__ USETLS
tls_advertise_hosts = *
[b]tls_certificate = /usr/mailcleaner/etc/apache/certs/fullchain.pem
tls_privatekey = /usr/mailcleaner/etc/apache/certs/privkey.pem[/b]

tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
__ELSE__ USETLS
...


Once you upload the new cert files, simpley run the following command:

Code: Select all

/usr/mailcleaner/etc/init.d/mailcleaner restart


Let us know how it goes for you. :D
kranzfr3d
Posts: 18
Joined: Sat Nov 18, 2017 10:16 pm
How did you hear about Mailcleaner: informing

Re: Using Letsencrypt certificate

Postby kranzfr3d » Thu Dec 21, 2017 9:44 am

[EDIT] This post is obsolete, please go here to view the "How-To"

hi madhopsman,
wonderful, thank you for your detailed explanation!
that's exactly what I needed - I ignored the apache configuration.
We're getting closer, I've a very good feeling :mrgreen:

[EDIT]
I got it now for apache - my apache is now up again, after a couple failures...encoding was wrong and the cert-chain, too. Fixed it with Powershell UTF8 encoding and the right PEM format
My browser recognises the injected LE-cert now but -it is- as you said (for sure): the encoded SSL-certificate displayed in webbrowser differs from the injected certificate - and that's here: "Configuration --> SMTP --> TLS/SSL" and here: "Configuration --> Services --> Web interfaces"

How can I check my "SMTP: TLS/SSL" certificate? (whether it's the right one now?)


gr33tz
Last edited by kranzfr3d on Fri Dec 29, 2017 11:37 am, edited 2 times in total.
User avatar
madhopsman
Posts: 28
Joined: Thu Feb 05, 2009 1:32 am

Re: Using Letsencrypt certificate

Postby madhopsman » Thu Dec 21, 2017 2:21 pm

kranzfr3d wrote:hi madhopsman,
wonderful, thank you for your detailed explanation!
that's exactly what I needed - I ignored the apache configuration.
We're getting closer, I've a very good feeling :mrgreen:

[EDIT]
I got it now for apache - my apache is now up again, after a couple failures...encoding was wrong and the cert-chain, too. Fixed it with Powershell UTF8 encoding and the right PEM format
My browser recognises the injected LE-cert now but -it is- as you said (for sure): the encoded SSL-certificate displayed in webbrowser differs from the injected certificate - and that's here: "Configuration --> SMTP --> TLS/SSL" and here: "Configuration --> Services --> Web interfaces"

How can I check my "SMTP: TLS/SSL" certificate? (whether it's the right one now?)


gr33tz


Use OpenSSL (included in most Linux distros). If you want a windows binary, look here. Run the following command where mailserver is your mailcleaner hostname or IP address:

Code: Select all

openssl s_client -connect mailserver:25 -starttls smtp


If your not using port 25 for whatever reason, change that to the correct port:

Once it connects, copy the encoded certificate that is displayed (everything between the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" and save to a text file on windows. Rename to .cer then just double click it to confirm.

As far as the certificate formatting goes, I didn't have a problem with that. I use the following PowerShell command to export it:

Code: Select all

Export-PfxCertificate -Cert "Cert:\LocalMachine\My\$thumbprint" -FilePath c:\LetsEncrypt\latestcert.pfx -ChainOption BuildChain -Password $mypwd

Then I used the Windows OpenSSL binary to extract the cert+chain and the key to separate files. But thanks for heads up for anyone else.
kranzfr3d
Posts: 18
Joined: Sat Nov 18, 2017 10:16 pm
How did you hear about Mailcleaner: informing

Re: Using Letsencrypt certificate

Postby kranzfr3d » Thu Dec 21, 2017 10:31 pm

[EDIT] This post is obsolete, please go here to view the "How-To"

Hi,

ok, something doesn't work :(

if i'm connecting to mailcleaner:

Code: Select all

OpenSSL> s_client -connect mailcleaner.my.externaldomain:25 -starttls smtp
CONNECTED(00000220)
5184:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 305 bytes and written 342 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1513891295
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
error in s_client
OpenSSL>


if i'm connecting to my exchange:

Code: Select all

OpenSSL> s_client -connect mymx.my.externaldomain:25 -starttls smtp
CONNECTED(00000218)
depth=0 CN = mymx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mymx
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=mymx
   i:/CN=mymx
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDGDCCAgCgAwIBAgIQE1dEcJH2G7FEceevnSgGzzANBgkqhkiG9w0BAQUFADAV
some cert stuff
-----END CERTIFICATE-----
subject=/CN=mymx
issuer=/CN=mymx
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1629 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: someid
    Session-ID-ctx:
    Master-Key: somekey
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1513891438
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 XRDST


So, my MX hast definitely a self signed cert, my MC doesn't have an cert, right?
But why? Whats wrong? :cry:
I don't think that my MX needs a LE cert, but the MC needs it - and working, right? :)
EDIT: Port 587 same error :-(

My fullcert is builded like this:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
private key stuff
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
my LE cert stuff
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
LE Authority X3 stuff
-----END CERTIFICATE-----



gr33tz
Last edited by kranzfr3d on Fri Dec 29, 2017 11:37 am, edited 2 times in total.
User avatar
madhopsman
Posts: 28
Joined: Thu Feb 05, 2009 1:32 am

Re: Using Letsencrypt certificate

Postby madhopsman » Thu Dec 21, 2017 10:57 pm

kranzfr3d wrote:Hi,

ok, something doesn't work :(

if i'm connecting to mailcleaner:

Code: Select all

OpenSSL> s_client -connect mailcleaner.my.externaldomain:25 -starttls smtp
CONNECTED(00000220)
5184:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 305 bytes and written 342 bytes
...


So, my MX hast definitely a self signed cert, my MC doesn't have an cert, right?
But why? Whats wrong? :cry:
I don't think that my MX needs a LE cert, but the MC needs it - and working, right? :)



gr33tz


My guess is one of the two following reason:
  • The certificate files are still incorrectly formatted.
  • The path to the certificate files is not correct.

Either way, I would imagine the exim logs should tell you something about the problem. You can find these under "/var/mailcleaner/log/exim_stage*/mainlog" where * is either 1,2 or 4.

Return to “Configuration”

Who is online

Users browsing this forum: No registered users and 5 guests