Configuring mail domain certificates after ispmanager upgrade

After upgrading ISPmanager you may need to reconfigure certificates for mail domains.

Why it is necessary

Modern mail servers and clients require the use of secure connections. Many mail clients may refuse to connect to servers that do not support SSL/TLS, which will lead to problems with mail delivery. Also, settings or certificate paths may change after an ISPmanager upgrade.

It is important to make sure that all settings meet the new requirements to avoid problems with mail performance. The ability to connect certificates to mail domains is enabled by default only for new installations of the panel version 5.66.0 or higher, so after upgrading an existing panel from 5.66.0 or lower, you will need to configure this functionality manually.

Instructions on how to configure certificates

Configuring mail domain certificates after upgrading ISPmanager is an important step to ensure the security, stability and reliability of mail services.

Add the following line to the end of the configuration file at the path /usr/local/mgr5/etc/ispmgr.conf.d/mta.conf:

path exim-certdir /etc/exim/ssl - для CentOS 7 и CloudLinux;
path exim-certdir /etc/exim4/ssl - для Debian и Ubuntu.

If the file at the path /usr/local/mgr5/etc/ispmgr.conf.d/mta.conf does not exist, make the changes in the file /usr/local/mgr5/etc/conf.d/exim.conf.

Add the following line to the end of the configuration file /usr/local/mgr5/etc/ispmgr.conf.d/dovecot.conf:

path dovecot-certconf /etc/dovecot/certs

Then make changes to the following lines in the Dovecot configuration file at the path /etc/dovecot/conf.d/10-ssl.conf:

For CentOS and CloudLinux:

ssl = yes
ssl_cert = </etc/exim/ssl/exim.crt>
ssl_key = </etc/exim/ssl/exim.key>
!include_try /etc/dovecot/certs/*.conf

For Debian and Ubuntu:

ssl = yes
ssl_cert = </etc/exim4/ssl/exim.crt>
ssl_key = </etc/exim4/ssl/exim.key>
!include_try /etc/dovecot/certs/*.conf

Change the SSL settings in the Exim configuration file at the path /etc/exim/exim.conf (for Debian and Ubuntu, this is /etc/exim4/exim4.conf.template):

For CentOS and CloudLinux:

log_selector =  
       +all_parents 
       +lost_incoming_connection 
       +received_sender 
       +received_recipients 
       +tls_cipher +tls_peerdn +tls_sni 
       +smtp_confirmation 
       +smtp_syntax_error 
       +smtp_protocol_error

# TLS/SSL
 tls_advertise_hosts = *
 tls_certificate = ${if exists{/etc/exim4/ssl/${tls_sni}.crt}{/etc/exi4m/ssl/${tls_sni}.crt}{/etc/exim4/ssl/exim.crt}}
 tls_privatekey = ${if exists{/etc/exim4/ssl/${tls_sni}.key}{/etc/exim4/ssl/${tls_sni}.key}{/etc/exim4/ssl/exim.key}}
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465

For Debian and Ubuntu:

og_selector =  
       +all_parents 
       +lost_incoming_connection 
       +received_sender 
       +received_recipients 
       +tls_cipher +tls_peerdn +tls_sni 
       +smtp_confirmation 
       +smtp_syntax_error 
       +smtp_protocol_error

# TLS/SSL
 tls_advertise_hosts = *
 tls_certificate = ${if exists{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/exim.crt}}
 tls_privatekey = ${if exists{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/exim.key}}
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465

After making all changes, you must restart the mail server services and the panel itself by running the following commands:

systemctl restart dovecot - restart the Dovecot mail server service;
systemctl rest art exim or systemctl restart exim4 for Debian and Ubuntu - restart the Exim mail server service;