Knowledge Base » Documentation MailCleaner »
How to configure a valid certificate in MailCleaner
Sylvain Viart
Added over 8 years ago
How to configure a valid certificate in MailCleaner¶
By default, MailCleaner uses a self-signed certificate which is why users can see a warning when they connect to the web interface.
You can configure any valid certificate provided by a recognized certification authority (RapidSSL, Thawte, Comodo, etc.) to remove these warnings.
This is usually advised, instead of disabling the SSL option which will have the users credentials being sent on the network in clear text.
For this, you should have:
- A server certificate
- Its associated private key
- An intermediate certificate
The two certificates are of the form
-----BEGIN CERTIFICATE----- <CERTIF> -----END CERTIFICATE-----
The private key is of the form
-----BEGIN PRIVATE KEY----- <KEY> -----END PRIVATE KEY-----
In what follows, the whole key or certificate, including the BEGIN/END
lines must be pasted
SMTP Certificates¶
In Configuration > SMTP > SSL/TLS
, there are two fields:
Encoded SSL certificate
: certificate chainEncoded SSL private key
: private SSL Key
If your certificate chain looks like:
Root > Intermediate cert > Server cert
You will have to input, in Encoded SSL certificate
:
-----BEGIN CERTIFICATE----- <CERT SERVER> -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- <CERT INTERMEDIARY> -----END CERTIFICATE----
Then, go to Monitoring > Status
, and restart Incoming MTA
, Filtering MTA
and Outgoing MTA
on every of your hosts.
It is advised to restart the Incoming MTA
one host at a time. This way, your other hosts will keep accepting the incoming mails.
Web interface certificates¶
In Configuration > Services > Web interfaces
, there are three fields:
Encoded SSL certificate
: Server certificateEncoded SSL private key
: Private SSL KeyEncoded SSL certificate chain
: Certificate chain
You will have to input, in Encoded SSL certificate
:
-----BEGIN CERTIFICATE----- <CERT SERVER> -----END CERTIFICATE----
and in Encoded SSL certificate chain
:
-----BEGIN CERTIFICATE----- <CERT INTERMEDIARY> -----END CERTIFICATE----
Then, go to Monitoring > Status
, and restart the Web access
service on every of your hosts.
Testing¶
To make sure that your certificates are properly configured, you can use the following resources:
Test TLS:
Test the web server:
Decode certificates:
Which certificate is served to a particular machine?
From the Linux command line, you can display the MailCleaner server certificate with openssl
:
cat /dev/null | openssl s_client -showcerts -servername <server> -connect <server>:443 # HTTPS cat /dev/null | openssl s_client -connect <server>:25 -starttls smtp # SMTP
Resources¶
What is the certificate chain? https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/