How to configure a valid certificate in MailCleaner

Sylvain Viart
Added about 4 years ago

How to configure a valid certificate in MailCleaner

By default, MailCleaner uses a self-signed certificate which is why users can see a warning when they connect to the web interface.
You can configure any valid certificate provided by a recognized certification authority (RapidSSL, Thawte, Comodo, etc.) to remove these warnings.

This is usually advised, instead of disabling the SSL option which will have the users credentials being sent on the network in clear text.

For this, you should have:

  • A server certificate
  • Its associated private key
  • An intermediate certificate

The two certificates are of the form

-----BEGIN CERTIFICATE-----
<CERTIF>
-----END CERTIFICATE-----

The private key is of the form

-----BEGIN PRIVATE KEY-----
<KEY>
-----END PRIVATE KEY-----

In what follows, the whole key or certificate, including the BEGIN/END lines must be pasted

SMTP Certificates

In Configuration > SMTP > SSL/TLS, there are two fields:

  • Encoded SSL certificate: certificate chain
  • Encoded SSL private key: private SSL Key

If your certificate chain looks like:

Root > Intermediate cert > Server cert

You will have to input, in Encoded SSL certificate:

-----BEGIN CERTIFICATE-----
<CERT SERVER>
-----END CERTIFICATE----
-----BEGIN CERTIFICATE-----
<CERT INTERMEDIARY>
-----END CERTIFICATE----

Then, go to Monitoring > Status, and restart Incoming MTA, Filtering MTA and Outgoing MTA on every of your hosts.
It is advised to restart the Incoming MTA one host at a time. This way, your other hosts will keep accepting the incoming mails.

Web interface certificates

In Configuration > Services > Web interfaces, there are three fields:

  • Encoded SSL certificate: Server certificate
  • Encoded SSL private key: Private SSL Key
  • Encoded SSL certificate chain: Certificate chain

You will have to input, in Encoded SSL certificate:

-----BEGIN CERTIFICATE-----
<CERT SERVER>
-----END CERTIFICATE----

and in Encoded SSL certificate chain:

-----BEGIN CERTIFICATE-----
<CERT INTERMEDIARY>
-----END CERTIFICATE----

Then, go to Monitoring > Status, and restart the Web access service on every of your hosts.

Testing

To make sure that your certificates are properly configured, you can use the following resources:

Test TLS:

Test the web server:

Decode certificates:

Which certificate is served to a particular machine?

From the Linux command line, you can display the MailCleaner server certificate with openssl:

cat /dev/null | openssl s_client -showcerts -servername <server> -connect <server>:443  # HTTPS
cat /dev/null | openssl s_client -connect <server>:25 -starttls smtp  # SMTP

Resources

What is the certificate chain? https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/