Change Default Certificates for SMTP, IMAP, and POP3 over SSL

Legacy DV and VPS Hosting

Applies to: Legacy DV & VPS Hosting
- Difficulty: Medium
- Time Needed: 20
- Tools Required: SSH, root or sudo access, Plesk administrator access
Applies to: DV 4.0
- Difficulty: Medium
- Time Needed: 20
- Tools Required: SSH, root or sudo access, Plesk administrator access

Overview

By using SSL for email, you ensure that communications between your personal computer and your server will be encrypted. Your message contents, username, and password will be hidden from eavesdroppers -- but only hidden from eavesdroppers between you and your server! SSL services do not protect your messages once they leave your SMTP Server and head to their destinations. Even though your message contents are not necessarily protected, it does completely protect your username and password from detection. This is very important because it prevents identity theft, forged messages, etc.

Instructions

Plesk

These instructions are for Plesk Onyx (17) and above. Instructions for older versions of Plesk are included below, but it is strongly recommended that you upgrade Plesk to the latest version.

Plesk Onyx introduced the ability to quickly secure your mail server.

The easiest way to install an SSL on your mail server is to use the Let's Encrypt extension. Let's Encrypt provides a free SSL solution and is fully supported by Plesk. These instructions are for Pl

1. Log into your Plesk admin panel.

2. Click on Tools & Settings.

3. Install your Media Temple or third-party certificate. If you do not already have a certificate to use, you can either install a free Let's Encrypt SSL, or purchase one from Media Temple.

Important note: It is recommended that you use "mail.domain.com" for the SSL used to secure your mail server. This will help you avoid popups regarding mismatched SSL certs and hostnames.

4. Once your certificate is installed, locate the "Certificate for securing mail" field and click on Change.

5. Select your certificate from the list and click OK.

Your mail server is now secured with an SSL.

Instructions for older versions of Plesk

If you need to setup your own certificates, you should copy your certificate and private key into the appropriate files and restart qmail and/or courier-imap/Dovecot services.

IMPORTANT NOTE:

Instructions for both Dovecot and Courier mail servers are included. Plesk versions 12.0 and later are provisioned with Dovecot as the default. Previous versions use Courier, but have an option to install Dovecot. If you are unsure of which software you are using or want to use something different, log into your Plesk control panel and navigate to Tools & Settings >> Mail Server Settings.

There is a single certificate for each of these services: SMTP, IMAP4, and POP3 over SSL and several various certificates cannot be used for various Plesk domains.

Make sure to specify the domain name for the certificate in order to avoid "domain name mismatch" warnings. For example, if the certificate was issued for the "dv-example.com" domain, then you should specify "dv-example.com" in your mail client preferences for SMTP/POP3/IMAP servers.

Requirements

Before you start, this article has the following dependencies:

You must have SSH access set up for root or a sudo user.
Access to your Server Administrator Panel.

READ ME FIRST

This article is provided solely as a courtesy to our customers. Please take a moment to review the Statement of Support.

Instructions for DV 4.0

Log into your Plesk Server Administrator Panel.
From the left navigation menu, click on Tools & Utilities and select SSL Certificates.

Click on the default certificate.

Scroll down until you see the sections Private Key and Certificate. Copy the contents of each section into a new file on your server and name the file with the .pem extension, e.g. dv-example.com.pem. Save this file to the /usr/share/courier-imap directory.

Your file should look similar to this.

Connect via SSH to your DV as the root user.
Before editing system configuration files on your server, backup files should be made first. Enter the following two commands, one at a time.
```
cp /etc/courier-imap/pop3d-ssl /etc/courier-imap/pop3d-ssl.backup
cp /etc/courier-imap/imapd-ssl /etc/courier-imap/imapd-ssl.backup
```
Next, you will need to edit the same line on these two files separately. The line begins with TLS_Certfile=. You can easily jump straight to editing that line with the following command which you will use for both files.
```
vi +/TLS_CERTFILE= /etc/courier-imap/pop3d-ssl
vi +/TLS_CERTFILE= /etc/courier-imap/imapd-ssl
```
The default certfile being used points to a file in /usr/share/courier-imap/. You want this to be your pem file instead. Change that line to point to your file which you saved earlier in that directory. Your two files should look like this snippet.
```
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/dv-example.com.pem

##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
```
NOTE:

Be sure to replace dv-example.com with your domain.

We also need to have qmail use this certificate. Make a backup of the default servercert.pem file and use your cert instead with the following two commands.

mv /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.backup
cp /usr/share/courier-imap/dv-example.com.pem /var/qmail/control/servercert.pem

Restart the mail services on your server.

/etc/init.d/courier-imapd restart && /etc/init.d/courier-imaps restart && /etc/init.d/qmail restart

You should see the following successful output.

Stopping Courier-IMAP server:
   Stopping imap                                           [  OK  ]
   Stopping imap-ssl                                       [  OK  ]
   Stopping pop3                                           [  OK  ]
   Stopping pop3-ssl                                       [  OK  ]

Starting Courier-IMAP server:
   Starting imapd                                          [  OK  ]
   Starting imap-ssl                                       [  OK  ]
   Starting pop3                                           [  OK  ]
   Starting pop3-ssl                                       [  OK  ]

Stopping : Starting qmail:                                 [  OK  ]

Now, you and your site users should be able to use your SSL certificate to securely send email using various mail programs.

Courier Instructions

Log into your Plesk Server Administrator Panel.
From the left navigation menu under Server Management, select Tools & Settings.
Under Security, select SSL Certificates.

Click on the default certificate.

ssl_default_cert

Your file should look similar to this.

Connect via SSH to your DV as the root user.
Before editing system configuration files on your server, backup files should be made first. Enter the following two commands, one at a time.
```
cp /etc/courier-imap/pop3d-ssl /etc/courier-imap/pop3d-ssl.backup
cp /etc/courier-imap/imapd-ssl /etc/courier-imap/imapd-ssl.backup
```
Next, you will need to edit the same line on these two files separately. The line begins with TLS_Certfile=. You can easily jump straight to editing that line with the following command which you will use for both files.
```
vi +/TLS_CERTFILE= /etc/courier-imap/pop3d-ssl
vi +/TLS_CERTFILE= /etc/courier-imap/imapd-ssl
```
The default certfile being used points to a file in /usr/share/courier-imap/. You want this to be your pem file instead. Change that line to point to your file which you saved earlier in that directory. Your two files should look like this snippet.
```
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/usr/share/courier-imap/dv-example.com.pem

##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
```
NOTE:

Be sure to replace dv-example.com with your domain.
We also need to have postfix use this certificate. Make a backup of the postfix_default.pem file and use your cert instead with the following two commands.
```
mv /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.backup
cp /usr/share/courier-imap/dv-example.com.pem /etc/postfix/postfix_default.pem
```

Restart the mail services on your server.

/etc/init.d/courier-imap restart && /etc/init.d/postfix restart

You should see the following successful output.

Stopping Courier-IMAP server:
   Stopping imap                                           [  OK  ]
   Stopping imap-ssl                                       [  OK  ]
   Stopping pop3                                           [  OK  ]
   Stopping pop3-ssl                                       [  OK  ]

Starting Courier-IMAP server:
   Starting imapd                                          [  OK  ]
   Starting imap-ssl                                       [  OK  ]
   Starting pop3                                           [  OK  ]
   Starting pop3-ssl                                       [  OK  ]

Stopping : Starting postfix:                                 [  OK  ]

Dovecot Instructions

1. SSH to your server as the root user. In order to do this, you must first make sure that you have root login enabled from the account center.

2. Create a backup of the default dovecot .pem file

cp /etc/dovecot/private/ssl-cert-and-key.pem /etc/dovecot/private/ssl-cert-and-key.pem.backup

3. Create a backup of the default postfix .pem file

cp /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.backup

4. Copy the replacement key and ssl certificate into and create the dovecot .pem.replacement file.

nano /etc/dovecot/private/ssl-cert-and-key.pem.replacement

Your ssl-cert-and-key.pem.replacement file should look similar to this:

5. Replace default dovecot .pem file with dovecot .pem.replacement file.

cp /etc/dovecot/private/ssl-cert-and-key.pem.replacement /etc/dovecot/private/ssl-cert-and-key.pem

6. Replace default postfix .pem file with SAME dovecot .pem.replacement file.

cp /etc/dovecot/private/ssl-cert-and-key.pem.replacement /etc/postfix/postfix_default.pem

7. Verify permissions (0400) and root ownership (root:root) of newly-replaced dovecot .pem file.

chmod 0400 /etc/dovecot/private/ssl-cert-and-key.pem

8. Verify permissions (0600) and root ownership (root:root) of newly-replaced postfix .pem file.

chmod 0600 /etc/postfix/postfix_default.pem

9. reload-or-restart dovecot and check service status.

systemctl restart dovecot.service
systemctl status dovecot.service

You should see an output similar to this:

 dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled)
   Active: active (running) since Wed 2015-12-02 21:41:38 EST; 17h ago
 Main PID: 19331 (dovecot)
   CGroup: /system.slice/dovecot.service
           ├─19331 /usr/sbin/dovecot -F
           ├─19334 dovecot/anvil
           ├─19335 dovecot/log
           ├─29140 dovecot/config
           └─29142 dovecot/ssl-params

Now, you and your site users should be able to use your SSL certificate to securely send email using various mail programs.

NOTE:

Depending on your email client, you may receive a certificate error.

Check the box to trust the certificate and eliminate the certificate error messages for your mail client.

cPanel

The following guide was created using cPanel v76.0.22. We will be primarily using AutoSSL which comes default with this version of cPanel.

Log into WHM
In this example we will be using cPanel's AutoSSL feature for a free SSL.

Do keep in mind that AutoSSL are self-signed certificates and so browsers/mail clients may prompt warning messages. However, you can use a CA Certificate such as SSL's purchased through Media Temple.
In the left-hand menu, navigate to the SSL/TLS section. Then click Generate an SSL Certificate and Signing Request.
Fill out the form to generate your SSL.
- Email Address: An email address the certificate will be sent to.
- Key Size: 2,048bits (recomended)
- Domains: Input "mail.example.com" (replacing example.com with your domain name).
- Company Information: City, State, Country, Company name, Company division, Email.
- Passphrase: Passphrase for the CSR.
Once you have filled out the form, click Create.
Your CSR and Certificate have now been generated.
- You can choose to take the CSR and Key and provide it to a third-party certificate authority.
- However, in this example, we will continue using the AutoSSL that was generated.
Copy the Certificate and Key sections.
In the left-hand menu, navigate to the Service Configuration section. Then click Manage SSL Certificates.
Selet Dovecot Mail Server and Exim (SMTP) Server.
Now paste your Certificate and Key into the appropriate sections.
- As mentioned previously, a warning message will appear as this is a self-signed certificate.
Click Install.
A message will appear to inform you that the SSL was installed succesfully.

Media Temple SSL

Media Temple offers CA certificates which you can be purchased to install on SMTP, IMAP, and POP3.

Order a Media Temple SSL.
- We recommend purchasing an SSL for "mail.example.com" (replacing example.com with your domain name).
In the Account Center, scroll down to ADD-ON SERVICES. Then click Manage.
Click View/Download Certificate Info.
You can use this Private Key, SSL Certificate, and CA / Chain Certificate to install on your server, in the place of Let's Encrypt or AutoSSL.