SSL Certificate Problem Unable to get Local Issuer Certificate – Vestacp Exim4 And Dovecot

byOri Grata -

Dalam proses configurasi mail server pada vestacp hal paling penting sekali untuk diaktifkan adalah SSL/TLS. Namun banyak kendala yang bagi  untuk melakukan configurasinya

Berikut kami berikan tips dan trik agar sukses melakukan configurasi Mail Server Exim4 Pada Vesta CP


Misalkan domain utama kita adalah origrata.com

Serta alamat SMTP mail server adalah mail.origrata.com

Maka langkah langkah yang harus dilakukan adalah: 

  • memberikan sertifikat SSL pada subdomain mail.origrata.com bisa menggunakan  ssl gratis dari letsencrypt. Setelah selesai memberikan Sertifikat SSL maka secara otomatis akan tercipta 3 buah file yang terdapat pada:

           /home/admin/conf/web/ssl.mail.origrata.com.crt
           /home/admin/conf/web/ssl.mail.origrata.com.key
           /home/admin/conf/web/ssl.mail.origrata.com.pem

  • Pastikan hak akses ssl sertifikatnya 664
            root@mail:/home/admin/conf/web# chmod 664 ssl.mail.origrata.com.*
           
  • Melakukan perubahan hostname server vestacp ke mail.origrata.com dan meminta ke provider agar IP Public Server diarahkan PTR Recordnya ke mail.origrata.com

  • Menghapus file certificate.crt dan certificate.key pada folder /usr/local/vesta/ssl/
          cd /usr/local/vesta/ssl

          $ rm certificate.crt  certificate.key
      

  • Membuat symbol link certifacte SSL dari hasil generate SSL letsencrypt pada mail.origrata.com ke folder /usr/local/vesta/ssl
           cd /usr/local/vesta/ssl/   
           ln -s /home/admin/conf/web/ssl.mail.origrata.com.pem certificate.crt        
           ln -s /home/admin/conf/web/ssl.mail.origrata.com.key certificate.key

          Perhatikan tulisan warna merah dengan extention .pem untuk membuat certificate.crt

  • mendaftarkan sertifkat terhadap configurasi exim4 dan dovecot pada vestacp  
          nano /etc/exim4/exim4.conf.template  selanjut cari tulisan seperti dan rubah seperti dibawah

            tls_advertise_hosts = *
            tls_certificate = /usr/local/vesta/ssl/certificate.crt
            tls_privatekey = /usr/local/vesta/ssl/certificate.key

         nano /etc/dovecot/conf.d/10-ssl.conf  Selanjut sesuaikan dengan yang di bawah
            
            ssl = yes
            ssl_cert = </usr/local/vesta/ssl/certificate.crt
            ssl_key = </usr/local/vesta/ssl/certificate.key

            #tls_certificate = /usr/local/vesta/ssl/certificate.crt
            #tls_privatekey = /usr/local/vesta/ssl/certificate.key

            Setelah berhasil melakukan perubahan file selanjutnya  Restart Vesta, exim4 dan dovecot                dengan comandline di bawah

            service vesta restart
            service exim4 restart
            service dovecot restart


Lakukan Pengujian pada situs



secondstest stage and result
[000.000]    DNS LOOKUPS
[000.000]    created RESOLVER
[000.004]    NS10.132.36.231
[000.004]    MX(10) mail.origrata.com
[000.006]    A-->origrata.com103.*.*.*
[000.008]    _mta-sts[TXT]v=STSv1
[000.008]    _mta-sts[TXT]id=20210822204131
[000.010]    _smtp._tls[TXT]v=TLSRPTv1
[000.011]    _smtp._tls[TXT]rua=mailto:[email protected]
[000.013]    A-->mail.origrata.com103.*.*.*
[000.013]    primarymail.origrata.com
[000.013]    primary-->typeMX
[000.013]    primary-->DNSSEC?no
[002.763]    MTA-STS policy-->versionSTSv1
[002.763]    MTA-STS policy-->modetesting
[002.763]    MTA-STS policy-->max_age604800
[002.763]    MTA-STS policy-->mxmail.origrata.com
[002.763]    mail.ioscloud.co.idMTA-STS OK
secondstest stage and result
[000.000]Trying TLS on mail.origrata.com[103.*.*.*:25] (10)
[000.239]Server answered
[001.425]<‑‑220 mail.origrata.com ESMTP Exim 4.90_1 Ubuntu Mon, 23 Aug 2021 23:21:59 +0700
[001.425]We are allowed to connect
[001.426]‑‑>EHLO www11-do.CheckTLS.com
[001.664]<‑‑250-mail.origrata.com Hello www11-do.checktls.com [167.71.160.115]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250 HELP
[001.664]We can use this server
[001.664]TLS is an option on this server
[001.664]‑‑>STARTTLS
[002.618]<‑‑220 TLS go ahead
[002.619]STARTTLS command works on this server
[003.737]Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 4 (sent by MX):
Cert signed by: #2
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.origrata.com = mail.origrata.com | DNS:mail.origrata.com)
Not Valid Before: Aug 20 01:42:32 2021 GMT
Not Valid After: Nov 18 01:42:31 2021 GMT
subject= /CN=mail.origrata.com
issuer= /C=US/O=Let's Encrypt/CN=R3
Certificate #2 of 4 (sent by MX):
Cert signed by: #3, #4
Cert VALIDATED: ok
Not Valid Before: Sep  4 00:00:00 2020 GMT
Not Valid After: Sep 15 16:00:00 2025 GMT
subject= /C=US/O=Let's Encrypt/CN=R3
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #3 of 4 (added from CA Root Store):
Cert signed by: #3, #4
Cert VALIDATED: ok
Not Valid Before: Jun  4 11:04:38 2015 GMT
Not Valid After: Jun  4 11:04:38 2035 GMT
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #4 of 4 (sent by MX):
Cert is unsigned
Cert VALIDATED:
Not Valid Before: Jan 20 19:14:03 2021 GMT
Not Valid After: Sep 30 18:14:03 2024 GMT
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[005.046]DANE failed: no TLSA records
[005.048]~~>EHLO www11-do.CheckTLS.com
[005.287]<~~250-mail.origrata.com Hello www11-do.checktls.com [167.71.160.115]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250 HELP
[005.287]TLS successfully started on this server
[005.287]TLSAs not checked (no TLSA)
[005.287]~~>MAIL FROM:<[email protected]>
[005.526]<~~250 OK
[005.526]Sender is OK
[005.526]~~>QUIT
[005.765]<~~221 mail.origrata.com closing connection






Tags

Posting Komentar

Please Select Embedded Mode To Show The Comment System.*

Lebih baru Lebih lama

Formulir Kontak