Skip to content

SSL/TLS Certificates

Configure SSL/TLS certificates for secure HTTPS access to the Mailborder web interface and encrypted SMTP connections.

Overview

Mailborder uses SSL/TLS certificates for:

  1. HTTPS Web Interface - Secure admin access
  2. SMTP TLS - Encrypted email transmission
  3. API Access - Secure API connections

Certificate Types

Self-Signed Certificates

Included by default - Generated during installation.

Advantages: - Free - Immediate availability - No external dependencies

Disadvantages: - Browser warnings ("Not secure") - Not trusted by email clients - Must manually trust

Use Case: Testing, internal use only

Commercial Certificates

Purchased from Certificate Authority (DigiCert, GlobalSign, etc.)

Advantages: - Trusted by all browsers - No warnings - Professional appearance - Extended validation available

Disadvantages: - Annual cost ($50-$500+) - Renewal process

Use Case: Production deployments, customer-facing

Let's Encrypt Certificates

Free automated certificates from Let's Encrypt.

Advantages: - Free - Trusted by all browsers - Automatic renewal - Easy setup

Disadvantages: - Requires Internet connectivity - Requires domain pointing to server - 90-day validity (auto-renewed)

Use Case: Production deployments with Internet access (recommended)

Installing SSL Certificates

Prerequisites: - Domain name pointing to your server - Port 80 accessible from Internet - Internet connectivity

Install Certbot:

sudo apt update
sudo apt install certbot python3-certbot-nginx

Obtain Certificate:

# For Nginx (automatic configuration)
sudo certbot --nginx -d mailborder.example.com

# Manual (just obtain certificate)
sudo certbot certonly --webroot -w /var/www/html -d mailborder.example.com

Certificate Locations:

Certificate: /etc/letsencrypt/live/mailborder.example.com/fullchain.pem
Private Key: /etc/letsencrypt/live/mailborder.example.com/privkey.pem

Configure Mailborder:

sudo mb-config set ssl.cert /etc/letsencrypt/live/mailborder.example.com/fullchain.pem
sudo mb-config set ssl.key /etc/letsencrypt/live/mailborder.example.com/privkey.pem
sudo systemctl reload nginx

Test:

Navigate to https://mailborder.example.com - No warnings!

Automatic Renewal:

Let's Encrypt certificates expire in 90 days. Certbot auto-renews:

# Test renewal
sudo certbot renew --dry-run

# Check auto-renewal timer
sudo systemctl status certbot.timer

Renewal happens automatically via SystemD timer.

Option 2: Commercial Certificate

Obtain Certificate:

  1. Generate CSR (Certificate Signing Request)
  2. Submit to CA (Certificate Authority)
  3. Complete validation
  4. Download certificate files

Generate CSR:

# Generate private key and CSR
sudo openssl req -new -newkey rsa:2048 -nodes \
  -keyout /etc/mailborder/ssl/mailborder.key \
  -out /etc/mailborder/ssl/mailborder.csr

Prompts: 

Country Name: US
State: California
Locality: San Francisco
Organization: Your Company
Organizational Unit: IT
Common Name: mailborder.example.com
Email Address: admin@example.com

Submit CSR:

Copy contents of mailborder.csr and paste into CA's order form.

Download Certificate:

After validation, download: - mailborder.crt - Your certificate - intermediate.crt - Intermediate certificate(s) - root.crt - Root certificate (optional)

Create Certificate Chain:

cat mailborder.crt intermediate.crt > /etc/mailborder/ssl/mailborder-chain.crt

Install Certificate:

sudo cp mailborder-chain.crt /etc/mailborder/ssl/mailborder.crt
sudo cp mailborder.key /etc/mailborder/ssl/mailborder.key
sudo chmod 600 /etc/mailborder/ssl/mailborder.key
sudo chown root:root /etc/mailborder/ssl/*

Configure Mailborder:

sudo mb-config set ssl.cert /etc/mailborder/ssl/mailborder.crt
sudo mb-config set ssl.key /etc/mailborder/ssl/mailborder.key
sudo systemctl reload nginx

Renewal:

Commercial certificates typically valid for 1 year. Set reminder to renew before expiration.

Option 3: Self-Signed Certificate

Only for testing or internal use.

Generate Self-Signed Certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/mailborder/ssl/selfsigned.key \
  -out /etc/mailborder/ssl/selfsigned.crt \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=mailborder.example.com"

Install Certificate:

sudo chmod 600 /etc/mailborder/ssl/selfsigned.key
sudo mb-config set ssl.cert /etc/mailborder/ssl/selfsigned.crt
sudo mb-config set ssl.key /etc/mailborder/ssl/selfsigned.key
sudo systemctl reload nginx

Trust Certificate (on client):

To avoid browser warnings, import selfsigned.crt into browser/OS certificate store.

Not recommended for production - Users will see warnings.

Configuring Nginx

Manual Nginx Configuration

Edit /etc/nginx/sites-available/mailborder:

server {
    listen 443 ssl http2;
    server_name mailborder.example.com;

    # SSL Certificate
    ssl_certificate /etc/mailborder/ssl/mailborder.crt;
    ssl_certificate_key /etc/mailborder/ssl/mailborder.key;

    # SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    # SSL Session Cache
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/mailborder/ssl/mailborder.crt;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;

    root /srv/mailborder/master;
    index index.php;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

# HTTP to HTTPS Redirect
server {
    listen 80;
    server_name mailborder.example.com;
    return 301 https://$server_name$request_uri;
}

Test Configuration:

sudo nginx -t

Reload Nginx:

sudo systemctl reload nginx

SMTP TLS Configuration

Use TLS certificates for encrypted email transmission.

Configure Postfix

Edit /etc/postfix/main.cf:

# TLS for incoming connections
smtpd_tls_cert_file = /etc/mailborder/ssl/mailborder.crt
smtpd_tls_key_file = /etc/mailborder/ssl/mailborder.key
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high

# TLS for outgoing connections
smtp_tls_cert_file = /etc/mailborder/ssl/mailborder.crt
smtp_tls_key_file = /etc/mailborder/ssl/mailborder.key
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high

# TLS Session Cache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# TLS Logging
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1

Reload Postfix:

sudo postfix reload

Test:

openssl s_client -connect mailborder.example.com:25 -starttls smtp

Certificate Verification

Test SSL Configuration

Web Interface:

# Check certificate
openssl s_client -connect mailborder.example.com:443 -showcerts

# Using curl
curl -vI https://mailborder.example.com

SMTP TLS:

openssl s_client -connect mailborder.example.com:25 -starttls smtp

Online SSL Test

SSL Labs:

https://www.ssllabs.com/ssltest/analyze.html?d=mailborder.example.com

Checks: - Certificate validity - Protocol support - Cipher strength - Vulnerabilities - Overall grade (A+ is best)

Qualys SSL Server Test:

https://www.ssllabs.com/ssltest/

Check Certificate Expiration

# Check expiration date
openssl x509 -in /etc/mailborder/ssl/mailborder.crt -noout -enddate

# Check with specific date format
openssl x509 -in /etc/mailborder/ssl/mailborder.crt -noout -dates

Output: 

notBefore=Jan 15 00:00:00 2025 GMT
notAfter=Jan 15 00:00:00 2026 GMT

Set Up Expiration Alerts:

# Add to crontab
0 0 * * * /usr/local/bin/check-ssl-expiration.sh

check-ssl-expiration.sh: 

#!/bin/bash
CERT="/etc/mailborder/ssl/mailborder.crt"
DAYS_WARNING=30

EXPIRY=$(openssl x509 -in "$CERT" -noout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
CURRENT_EPOCH=$(date +%s)
DAYS_REMAINING=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 ))

if [ $DAYS_REMAINING -lt $DAYS_WARNING ]; then
    echo "SSL Certificate expiring in $DAYS_REMAINING days!" | \
        mail -s "SSL Certificate Expiration Warning" admin@example.com
fi

Troubleshooting

Browser Shows "Not Secure"

Causes: - Self-signed certificate - Expired certificate - Hostname mismatch - Incomplete certificate chain

Solutions:

  1. Check certificate details: 

    openssl x509 -in /etc/mailborder/ssl/mailborder.crt -noout -text

  2. Verify hostname matches: CN should match your domain.

  3. Check chain: 

    openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/mailborder/ssl/mailborder.crt

  4. Install Let's Encrypt: Free and trusted alternative.

SMTP TLS Not Working

Check Postfix configuration:

postconf | grep tls

Test TLS:

openssl s_client -connect localhost:25 -starttls smtp

Check logs:

sudo tail -f /var/log/mail.log | grep TLS

Common issues: - Certificate/key path wrong - Permissions incorrect (must be readable by postfix) - Certificate expired

Certificate Renewal Failed

Let's Encrypt renewal issues:

# Check renewal status
sudo certbot renew --dry-run

# Force renewal
sudo certbot renew --force-renewal

# Check logs
sudo tail -f /var/log/letsencrypt/letsencrypt.log

Common causes: - Port 80 not accessible - Domain doesn't point to server - Rate limit reached (5 renewals per 7 days)

Expired Certificate

Replace immediately:

# Generate new Let's Encrypt cert
sudo certbot renew --force-renewal

# Or install new commercial cert
sudo cp new-cert.crt /etc/mailborder/ssl/mailborder.crt
sudo systemctl reload nginx

Best Practices

  1. Use Let's Encrypt
  2. Free, trusted, auto-renewal

  3. Perfect for most deployments

  4. Enable HTTPS Redirect

  5. All HTTP → HTTPS

  6. No unencrypted access

  7. Strong Ciphers Only

  8. Disable SSLv3, TLSv1.0, TLSv1.1

  9. Use TLS 1.2 and 1.3

  10. Monitor Expiration

  11. Set alerts for 30 days before expiry

  12. Test renewal process regularly

  13. Use Same Certificate Everywhere

  14. Web interface and SMTP

  15. Consistent experience

  16. Enable HSTS

  17. Force HTTPS for returning visitors

  18. Prevent downgrade attacks

  19. Test Regularly

  20. SSL Labs test quarterly

  21. Verify certificate chain

  22. Document Renewal Process

  23. Especially for commercial certs
  24. Include vendor contact info

Certificate Management Tools

Certbot

Manage Let's Encrypt certificates:

# List certificates
sudo certbot certificates

# Renew specific cert
sudo certbot renew --cert-name mailborder.example.com

# Delete certificate
sudo certbot delete --cert-name mailborder.example.com

# Expand certificate (add domain)
sudo certbot --nginx -d mailborder.example.com -d www.mailborder.example.com

OpenSSL

Certificate inspection and manipulation:

# View certificate
openssl x509 -in cert.crt -noout -text

# Check if cert matches key
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5

# Convert formats
openssl x509 -inform DER -in cert.cer -out cert.pem

# Extract certificate from server
openssl s_client -connect mailborder.example.com:443 2>/dev/null | \
  openssl x509 -out cert.pem

Next Steps