mailcow-dockerized-docs/docs/firststeps-ssl.md

## Let's Encrypt (out-of-the-box)

The newly introduced "acme-mailcow" container (21st of June) will try to obtain a valid LE certificate for you.

!!! warning
    mailcow **must** be available on port 80 for the acme-client to work.
    
By default, which means **0 domains** are added to mailcow, it will try to obtain a certificate for ${MAILCOW_HOSTNAME}.

For each domain you add, it will try to resolve autodiscover.ADDED_MAIL_DOMAIN and autoconfig.ADDED_MAIL_DOMAIN to your servers IPv4 address. If it succeeds, these names will be added as SANs to the certificate request.

You can skip the IP verification by adding SKIP_IP_CHECK=y to mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts.

You could add an A record for "autodiscover" but omit "autoconfig", the client will only validate "autodiscover" and skip "autoconfig" then.

For every domain you remove, the certificate will be moved and a new certificate will be requested. It is not possible to keep domains in a certificate, when we are not able validate the challenge for those.

### Additional domain names

Edit "mailcow.conf" and add a parameter "ADDITIONAL_SAN" like this:

!!! info
    Make sure you are using acme-mailcow:1.5 or above in docker-compose.yml - if not, update mailcow first!

Do not use quotes (`"`)!

```
ADDITIONAL_SAN=cert1.example.org,cert1.example.com,cert2.example.org,cert3.example.org
```

Each name will be validated against its IPv4 address.

**Skip Let's Encrypt function**

Add `SKIP_LETS_ENCRYPT=y` to mailcow.conf and restart the stack by running `docker-compose down && docker-compose up -d`.

## Use own certificates

To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to `data/assets/ssl/cert.pem` and the corresponding key to `data/assets/ssl/key.pem`.

Restart the mailcow stack by running `docker-compose down && docker-compose up -d`.

## Check your configuration

Run `docker-compose logs acme-mailcow` to find out why a validation fails.

To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.

To check the certificate served by dovecot or postfix we will use `openssl`:

```
# Connect via SMTP (25)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25
# Connect via SMTPS (465)
openssl s_client -showcerts -connect mx.mailcow.email:465
# Connect via SUBMISSION (587)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587
```
New LE method 2017-06-21 21:39:47 +02:00			`## Let's Encrypt (out-of-the-box)`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
New LE method 2017-06-21 21:39:47 +02:00			`The newly introduced "acme-mailcow" container (21st of June) will try to obtain a valid LE certificate for you.`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
Added info box 2017-05-06 14:54:03 +02:00			`!!! warning`
Update firststeps-ssl.md 2017-07-04 06:51:42 +02:00			`mailcow must be available on port 80 for the acme-client to work.`
New LE method 2017-06-21 21:39:47 +02:00
			`By default, which means 0 domains are added to mailcow, it will try to obtain a certificate for ${MAILCOW_HOSTNAME}.`
Some minor corrections 2017-05-06 03:51:31 +02:00
New LE method 2017-06-21 21:39:47 +02:00			`For each domain you add, it will try to resolve autodiscover.ADDED_MAIL_DOMAIN and autoconfig.ADDED_MAIL_DOMAIN to your servers IPv4 address. If it succeeds, these names will be added as SANs to the certificate request.`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
Added hint to skip ip check in acme-mailcow 2017-07-02 11:20:23 +02:00			`You can skip the IP verification by adding SKIP_IP_CHECK=y to mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts.`

New LE method 2017-06-21 21:39:47 +02:00			`You could add an A record for "autodiscover" but omit "autoconfig", the client will only validate "autodiscover" and skip "autoconfig" then.`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
New LE method 2017-06-21 21:39:47 +02:00			`For every domain you remove, the certificate will be moved and a new certificate will be requested. It is not possible to keep domains in a certificate, when we are not able validate the challenge for those.`
Added check on SSL 2017-05-09 17:20:59 +02:00
Additional names to SSL certificate 2017-06-21 21:52:05 +02:00			`### Additional domain names`

			`Edit "mailcow.conf" and add a parameter "ADDITIONAL_SAN" like this:`

Fix docs for SSL ADDITIONAL_SAN (using , instead of whitespace, no quotes); Autodiscover now uses vars.local.inc.php 2017-06-28 18:56:01 +02:00			`!!! info`
			`Make sure you are using acme-mailcow:1.5 or above in docker-compose.yml - if not, update mailcow first!`

			Do not use quotes (`"`)!

Additional names to SSL certificate 2017-06-21 21:52:05 +02:00			```
Fix docs for SSL ADDITIONAL_SAN (using , instead of whitespace, no quotes); Autodiscover now uses vars.local.inc.php 2017-06-28 18:56:01 +02:00			`ADDITIONAL_SAN=cert1.example.org,cert1.example.com,cert2.example.org,cert3.example.org`
Additional names to SSL certificate 2017-06-21 21:52:05 +02:00			```

			`Each name will be validated against its IPv4 address.`

Skip LE 2017-06-22 10:35:52 +02:00			`Skip Let's Encrypt function`

			Add `SKIP_LETS_ENCRYPT=y` to mailcow.conf and restart the stack by running `docker-compose down && docker-compose up -d`.

SSL: Use own certificate 2017-06-22 10:34:41 +02:00			`## Use own certificates`

			To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to `data/assets/ssl/cert.pem` and the corresponding key to `data/assets/ssl/key.pem`.

			Restart the mailcow stack by running `docker-compose down && docker-compose up -d`.

Added check on SSL 2017-05-09 17:20:59 +02:00			`## Check your configuration`

New LE method 2017-06-21 21:39:47 +02:00			Run `docker-compose logs acme-mailcow` to find out why a validation fails.

Added check on SSL 2017-05-09 17:20:59 +02:00			`To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.`

			To check the certificate served by dovecot or postfix we will use `openssl`:

			```
			`# Connect via SMTP (25)`
			`openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25`
			`# Connect via SMTPS (465)`
			`openssl s_client -showcerts -connect mx.mailcow.email:465`
			`# Connect via SUBMISSION (587)`
			`openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587`
			```