До тук всичко работи коректно. Добра практика е да се сертифицират виртуалните домейни. За целта ще ползваме безплатните сертификати на Let's Encrypt от сайта https://certbot.eff.org/. За начало обаче е необходимо няколко настройки по самия iRedMail. Имаме инсталиран Nginx отговарящ за всички виртуални хостове. Имаме активиран Graylisting в iRedMail. Започваме с изключване на Graylisting.
chmod u+w /opt/iredapd/settings.py nano /opt/iredapd/settings.py # plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy", "sql_ml_access_policy"] plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "throttle", "amavisd_wblist", "sql_alias_access_policy", "sql_ml_access_policy"] chmod u-w /opt/iredapd/settings.py systemctl restart iredapd
Следва редакция на конфигурационния файл на домейна.
nano /etc/nginx/sites-enabled/00-default-ssl.conf # HTTPS server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; root /var/www/html; index index.php index.html; location ~ /.well-known { root /usr/share/nginx/html; allow all; } include /etc/nginx/templates/misc.tmpl; include /etc/nginx/templates/ssl.tmpl; include /etc/nginx/templates/iredadmin.tmpl; include /etc/nginx/templates/roundcube.tmpl; include /etc/nginx/templates/sogo.tmpl; include /etc/nginx/templates/netdata.tmpl; include /etc/nginx/templates/php-catchall.tmpl; include /etc/nginx/templates/stub_status.tmpl; nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful systemctl reload nginx.service systemctl status nginx.service
Инсталираме CertBOT.
apt install certbot -y
За да генерираме сертификатите трябва първо да коригираме следния файл:
nano /etc/nginx/sites-available/00-default.conf # HTTP server { # Listen on ipv4 listen 80; listen [::]:80; server_name _; # Allow ACME challenge to be served over HTTP (don't redirect to HTTPS). # location ~* ^/.well-known/acme-challenge/ { # root /opt/www/well_known; # try_files $uri =404; # allow all; # } # Redirect all insecure http requests to https. location / { return 301 https://$host$request_uri; } } service nginx restart
Дефинираме променливата DOMAIN да приема стойността на hostname.
DOMAIN=$(hostname -f)
Инсталираме CertBOT за нашия домейн.
certbot certonly --webroot --agree-tos --email tachko@tachko.com -w /usr/share/nginx/html/ -d $DOMAIN Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/post.tachko.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/post.tachko.com/privkey.pem This certificate expires on 2025-06-13. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Връщаме настройката на /etc/nginx/sites-available/00-default.conf
nano /etc/nginx/sites-available/00-default.conf # HTTP server { # Listen on ipv4 listen 80; listen [::]:80; server_name _; # Allow ACME challenge to be served over HTTP (don't redirect to HTTPS). location ~* ^/.well-known/acme-challenge/ { root /opt/www/well_known; try_files $uri =404; allow all; } # Redirect all insecure http requests to https. location / { return 301 https://$host$request_uri; } } service nginx restart
Да обновим новогенерираните ключове.
rm -f /etc/ssl/private/iRedMail.key rm -f /etc/ssl/certs/iRedMail.crt ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/ssl/certs/iRedMail.crt ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/ssl/private/iRedMail.key
Да презаредим сървисите.
systemctl reload nginx postfix dovecot systemctl restart iredadmin.service systemctl status iredadmin.service
Да проверим дали работи правилно iRedMail
Преглеждаме конфигурационните файлове на виртуалните домейни.
Всичко е наред обаче сертификата има трайност 90 дена. След 90 дена трябва да се обнови, а съответно да се обнови в postfix, dovecot и ngnix.
nano /etc/letsencrypt/cli.ini # Най-отдолу добавяме за nginx: post-hook = systemctl restart nginx # Ако имахме инсталирани още postfix и dovecot добавяме: post-hook = systemctl restart postfix dovecot nginx iredadmin
Проверяваме дали работи правилно сертификата на: https://post.tachko.com/mail. и https://post.tachko.com/iredadmin/