Support
Nexi Bloom LLC

  Categories

Backups
9
Basic Level
1
Contentrization
3
Dashboard
1
DataBase
1
DNS
3
Docker Apps
1
Email
13
FTP
1
Install/Upgrade
3
Installation
2
Managing SSL
7
Nexi PanelFeatures
6
Security
5
Support
1
Troubleshooting
11
User
3
Website
7
Website
17
WordPress Manager
6

  Categories

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

6 – Self-signed SSL error on Outlook/Thunderbird Print

  • 0

After creating an email account in Nexi Panel some users would like to configure their email accounts to third party email clients such as Outlook or Thunderbird.

Both these clients have auto-discover functionality, this functionality will try to automatically configure your email settings so that end-user won’t have to do anything. For example, if on Thunderbird I configure:

  • User: support@Nexi Panel.net
  • Password: <your email password>

Thunderbird may suggest the following settings:

Server hostname: mail.Nexi Panel.net

IMAP Port: 143

Now Thunderbird will be looking for a valid SSL for mail.Nexi Panel.net and if valid SSL is not offered by the server you will get a self-signed SSL error.

How to resolve Self-signed SSL Error

After version v1.9.4 of Nexi Panel, upon website creation, Nexi Panel will create mail.domain.com as a child domain to while creating a website and also issue SSL for it. Then Nexi Panel will add edit /etc/dovecot/dovecot.conf and add the following to the file:

  1. local_name mail.domain.com {
  2. ssl_cert = </etc/letsencrypt/livemail.domain.com/fullchain.pem
  3. ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem
  4. }
 

and then restart dovecot service using systemctl restart dovecot. This way there will be no SSL errors on either Outlook or Thunderbird.

Manually setting this up

Let say you are on some of the old versions of Nexi Panel or you have already created a website before upgrading to v1.9.4. You can go ahead and create mail.domain.com as a child-domain to your master domain also make sure to issue SSL for this domain.

Step 1: Open the file /etc/postfix/main.cf using any editor

  1. sudo nano /etc/postfix/main.cf

Step 2: Comment the first two lines in that file by adding an # sign at the beginning.

  1. # smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
  2. # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
 

Step 3:  Add the following lines after changing. Remember to replace YourPrimaryMailServerDomain with the your own domain.

  1. # provide the primary certificate for the server, to be used for outgoing connections
  2. smtpd_tls_chain_files =
  3. /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
  4. /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

Step 4: In order to support SNI you need to add the following lines at the end

  1. # provide the map to be used when SNI support is enabled
  2. tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
 

After all the above steps your files should look like this

  1. # smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
  2. # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
  3.  
  4. # provide the primary certificate for the server, to be used for outgoing connections
  5. smtpd_tls_chain_files =
  6. /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
  7. /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
  8.  
  9. # provide the map to be used when SNI support is enabled
  10. tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
 
 
 
 
 
 
 
 
 
 

Step 5: Create a new file in /etc/postfix with the name of vmail_ssl.map

  1. sudo touch /etc/postfix/vmail_ssl.map

Step 6: Edit the file to add your domain’s SSL certificates to the list like this

  1. mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

Step 7 (Optional): If you have more than one domain to be supported add all of them one per line. The resulting file should look like this

  1. # Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
  2. # One host per line
  3. mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
  4. mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
  5. # add more domains with keys and certs as needed
 
 
 
 

Step 8: Open /etc/dovecot/dovecot.conf

  1. sudo nano /etc/dovecot/dovecot.conf

Step 9: Append the following to the end of the file, replace domain.com with your own domain

  1. local_name mail.domain.com {
  2. ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
  3. ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem
  4. }
 

Step 10: Re-compile postmap with SNI using the following command

  1. postmap -F hash:/etc/postfix/vmail_ssl.map

Step 11: Restart Postfix.

  1. systemctl restart postfix

Step 12: Restart Dovecot

  1. systemctl restart dovecot

Connect again using a mail client and you should not see the error.

 

Was this answer helpful?

Related Articles

1 – DKIM Set up and Configurations DKIM Signing Starting version 1.6.4 you can now check whether you want to setup DKIM DNS records... 2 – SSL For PostFix/Dovecot On a default installation of Nexi Panel, Postfix and Dovecot use self-signed SSL. You can now use... 3 – Email Forwarding With Email Forwarding, you can forward emails to multiple other email addresses (This does not... 4 – Email Limits Email Limits Email Limits can help you fight Email Spam on your server. There are two kinds of... 5 – SpamAssassin Configurations Install SpamAssassin at: https://<IP Address>:8090/emailPremium/SpamAssassin...
« Back

Powered by WHMCompleteSolution

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket