All Mailborder servers include multiple self-signed SSL/TLS certificates. This also includes the Postfix Mail Transport Agent service. You may replace this certificate with a valid SSL/TLS certificate with your own certificate.
Add Certificates in the GUI #
If you already have certificates issued by an entity such as Verisign or Comodo, you can add those to your configuration via the GUI. To do so, follow this guide.
Add Certificates via the Command Line #
Certificates can be manually added via the command line by copying the certificate PEM and key file to a directory on the Mailborder server. You can copy the files anywhere, but we recommend this location:
/etc/mailborder/ssl
You will see multiple certificates and keys in this directory. Do not edit these files as they can be overwritten by the automated configuration process.
You will need to create valid PEM files with your certificates following this guide. Once complete, place your files in the Mailborder SSL directory. Below are some example file names.
custom-mta.pem custom-mta.key
Next, modify the Mailborder configuration to include these certificates in current and future builds by editing this file:
/etc/mailborder/conf.d/postfix.cf
Update the smtpd_tls_cert_file and smtpd_tls_key_file parameters to point to your certificates:
smtpd_tls_cert_file= /etc/mailborder/ssl/custom-mta.pem smtpd_tls_key_file=/etc/mailborder/ssl/custom-mta.key
Finally, rebuild the Mailborder configurations:
sudo mb-rebuild -r
Let’s Encrypt #
If you do not have the Let’s Encrypt Certbot installed, please do so using this guide and return to continue the Postfix setup with Let’s Encrypt.
All Mailborder virtual hostnames (GUI, API, Portal) must be unique. However, the MTA hostname used by Postfix does not have to be unique. For example, your Postfix MTA hostname might be something like mx.mailborder.de. This same hostname could be used for the GUI like this: https://mx.mailborder.de without conflict.
– Using an Existing Certificate #
If your Postfix MTA name is the same as the Mailborder GUI, API, or Portal, you can use the same certificate. Simply edit the Nginx configuration file and get the file location. In this example we will assume the GUI hostname is the same as the MTA hostname:
/etc/nginx/sites-available/mailborder-gui.conf
These are the certificate paths we are looking for:
ssl_certificate /etc/letsencrypt/live/mx.mailborder.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mx.mailborder.de/privkey.pem;
Copy these values and then open this file:
/etc/mailborder/conf.d/postfix.cf
Find the TLS section and add the new certificates names:
smtpd_tls_cert_file=/etc/letsencrypt/live/mx.mailborder.de/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mx.mailborder.de/privkey.pem
Finally, rebuild the Mailborder configuration to start using the new certificate:
sudo mb-rebuild -r
You can test your new certificates here: https://www.checktls.com/TestReceiver
– Adding a New Let’s Encrypt Certificate #
If your MTA hostname is not the same as one of your Mailborder virtual hosts, you can get a certificate added with a small modification to your Nginx files.
Edit this file:
/etc/nginx/sites-available/mailborder-gui.conf
Add to the server_name section of the configuration like the below example. Here we are adding mx.mailborder.de (the Postfix MTA name) with master.mailborder.de (the GUI hostname).
*Note that there are two sections where server_name is present that must be edited!
server_name mx.mailborder.de master.mailborder.de;
The result will look something like this:
# ssl redirect
server {
listen 80;
listen [::]:80;
access_log off;
server_name master.mailborder.de mx.mailborder.de;
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
location / {
return 301 https://$server_name$request_uri;
}
}
# standard connection
server {
listen 443 ssl;
server_name master.mailborder.de mx.mailborder.de;
root /srv/mailborder/public_html/master;
index index.php;
ssl_certificate /etc/letsencrypt/live/api.mailborder.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/api.mailborder.de/privkey.pem; # managed by Certbot
...
Save the file, and restart the Nginx service:
service nginx restart
Now run the cerbot program again to get the updated certificates that will include your MTA.
sudo certbot --nginx --no-redirect
In this case, we are going to activate all four virtual hosts and MTA name:
Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: api.mailborder.de 2: master.mailborder.de 3: mx.mailborder.de 4: portal.mailborder.de - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 2 3 4
It may ask if you wish to (E)xpand the certificates.
Do you want to expand and replace this existing certificate with the new certificate? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (E)xpand/(C)ancel: e
When asked if you would re-direct, select No Redirection as Mailborder already does this.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
You will then be presented with the full path to the SSL/TLS certificate and keys. Copy the values for use with the Postfix MTA. (Do not copy the below cert paths!)
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/api.mailborder.de/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/api.mailborder.de/privkey.pem
Next, edit this file:
/etc/mailborder/conf.d/postfix.cf
Now replace the certificate and key file paths from the last step and update:
smtpd_tls_cert_file=/etc/letsencrypt/live/api.mailborder.de/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/api.mailborder.de/privkey.pem
Finally, rebuild the Mailborder configurations to use the new SSL/TLS certificate:
sudo mb-rebuild -r
You can test your new certificates here: https://www.checktls.com/TestReceiver
