Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Roundcube Webmail SSL
- Thread starter Ric878
- Start date
What I do is install my webmail certificate in
And then go to
Get the file names for the webmail cert and make a custom horde and roundcube templates* with..
Apache files (horde.php and roundcube.php)
Nginx File (nginxWebmailPartial.php)
I do this because the CA directives are missing from the default Apache2 templates.
Oh btw the above paths are for Ubuntu if on CentOS I think the psa folder is in /usr/local/.
*Templates are located in
copy the above files to
and then edit.
Once you have done that send you customers to correct url (that your SSL is for) so they don't get any certificate warnings. And if you check your url at ssllabs you won't get any chain issues.
What we need is a button is SSL Certs to "secure webmail" like we have for plesk!
I hope that helps.
Kind regards
Lloyd
And then go to
Get the file names for the webmail cert and make a custom horde and roundcube templates* with..
Apache files (horde.php and roundcube.php)
Code:
SSLCertificateKeyFile "/opt/psa/var/certificates/cert-name"
SSLCertificateFile "/opt/psa/var/certificates/cert-name"
SSLCACertificateFile "/opt/psa/var/certificates/cert-name"Nginx File (nginxWebmailPartial.php)
Code:
ssl_certificate /opt/psa/var/certificates/cert-name;
ssl_certificate_key /opt/psa/var/certificates/cert-name;
ssl_client_certificate /opt/psa/var/certificates/cert-name;I do this because the CA directives are missing from the default Apache2 templates.
Oh btw the above paths are for Ubuntu if on CentOS I think the psa folder is in /usr/local/.
*Templates are located in
copy the above files to
and then edit.
Once you have done that send you customers to correct url (that your SSL is for) so they don't get any certificate warnings. And if you check your url at ssllabs you won't get any chain issues.
What we need is a button is SSL Certs to "secure webmail" like we have for plesk!
I hope that helps.
Kind regards
Lloyd
Hi Lloyd,
Thanks for the follow up. After making the changes should I be running a command like:
/usr/local/psa/admin/bin/httpdmng ––reconfigure-all
Thanks for the follow up. After making the changes should I be running a command like:
/usr/local/psa/admin/bin/httpdmng ––reconfigure-all
Only copy
to a folder called
create it if you need to.
Then you can edit the files
and run
to re-generate the configuration files.
I hope that's clearer
Kind regards
Lloyd
Code:
/opt/psa/admin/conf/templates/default/horde.php
/opt/psa/admin/conf/templates/default/roundcube.php
/opt/psa/admin/conf/templates/default/nginxWebmailPartial.phpto a folder called
Code:
/opt/psa/admin/conf/templates/customcreate it if you need to.
Then you can edit the files
Code:
/opt/psa/admin/conf/templates/custom/horde.php
/opt/psa/admin/conf/templates/custom/roundcube.php
/opt/psa/admin/conf/templates/custom/nginxWebmailPartial.phpand run
Code:
/opt/psa/admin/bin/httpdmng --reconfigure-allto re-generate the configuration files.
I hope that's clearer
Kind regards
Lloyd
Yeah that's right, I haven't found one that just does the webmail domain.
Lloyd,
Hopefully this is the last question. When I ran the reconfigure command I got some errors and apache did not restart. I assume it has to do with my modifications to the files. Where do I enter the code into the php files? Should I add at the very beginning of the file?
Hopefully this is the last question. When I ran the reconfigure command I got some errors and apache did not restart. I assume it has to do with my modifications to the files. Where do I enter the code into the php files? Should I add at the very beginning of the file?
No probs, glad I can help.
The horde.php file around line 83 is
That needs to be replaced with the 3 directives I mention above.
The roundcube.php file around line 86, same thing.
And the nginxWebmailPartial.php lines 12, 13 and 15. are the lines/directives you want to look for.
I Completely remove lines 10 to 22 in and replace it...
Goes to something like..
You can add HSTS, OCSP, ssl_session_cache, ssl_ecdh_curve and dhparam in there too.
I hope that helps
Kind regards
Lloyd
The horde.php file around line 83 is
Code:
SSLCertificateFile "<?php echo $ipAddress->sslCertificate->ceFilePath ?>"That needs to be replaced with the 3 directives I mention above.
The roundcube.php file around line 86, same thing.
And the nginxWebmailPartial.php lines 12, 13 and 15. are the lines/directives you want to look for.
I Completely remove lines 10 to 22 in and replace it...
Code:
<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php if ($sslCertificate->ce): ?>
ssl_certificate <?php echo $sslCertificate->ceFilePath ?>;
ssl_certificate_key <?php echo $sslCertificate->ceFilePath ?>;
<?php if ($sslCertificate->ca): ?>
ssl_client_certificate <?php echo $sslCertificate->caFilePath ?>;
<?php endif ?>
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
<?php endif ?>
<?php endif ?>Goes to something like..
Code:
<?php if ($OPT['ssl']): ?>
ssl_certificate /opt/psa/var/certificates/cert-name;
ssl_certificate_key /opt/psa/var/certificates/cert-name;
ssl_client_certificate /opt/psa/var/certificates/cert-name;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
<?php endif ?>You can add HSTS, OCSP, ssl_session_cache, ssl_ecdh_curve and dhparam in there too.
I hope that helps
Kind regards
Lloyd
Well I just add HSTS in the above SSL directives group.
Add in the nginxWebmailPartial.php (in the same block as the SSL Directives)
Code:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";And the Apache version (only needed if you don't run nginx), horde.php and roundcube.php
Code:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"I hope that helps a bit anyway.
Kind regards
Lloyd
Thank you for the kind reply,
I found this file roundcube.htaccess.inc in /etc/httpd/conf/plesk.conf.d and then added
It's working but the problem is I have two domains hosted .. now the other domain's webmail.domainname.com shows the ssl for the one Installed .. I don't think we have individual options to secure the webmail domains.
I found this file roundcube.htaccess.inc in /etc/httpd/conf/plesk.conf.d and then added
Code:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}It's working but the problem is I have two domains hosted .. now the other domain's webmail.domainname.com shows the ssl for the one Installed .. I don't think we have individual options to secure the webmail domains.
Cool, no problem.
No we don't. I find the best option is to tell all customers to use the main url, same with Plesk itself.
Lloyd,
I really appreciate your help. With your instructions I was able to get this working perfectly.
Best,
Ricardo
I really appreciate your help. With your instructions I was able to get this working perfectly.
Best,
Ricardo
No problem, glad I could help Ricardo.
To round off the thread here's what it looks like with HSTS, OCSP, SSL Session Cache, 4096Bit dhparam (you need to generate this yourself) and secp384r1 ECDH curve.
The cipher string above is from Qualys Configuring Apache, Nginx, and OpenSSL for Forward Secrecy with the correct separators.
Once again, glad I could help
Kind regards
Lloyd
To round off the thread here's what it looks like with HSTS, OCSP, SSL Session Cache, 4096Bit dhparam (you need to generate this yourself) and secp384r1 ECDH curve.
Code:
<?php if ($OPT['ssl']): ?>
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/ssl/dh.pem;
ssl_certificate /opt/psa/var/certificates/cert-name;
ssl_certificate_key /opt/psa/var/certificates/cert-name;
ssl_client_certificate /opt/psa/var/certificates/ca-name;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/inter-and-ca-combined.pem;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
<?php endif ?>The cipher string above is from Qualys Configuring Apache, Nginx, and OpenSSL for Forward Secrecy with the correct separators.
Once again, glad I could help
Kind regards
Lloyd
Last edited:
Can you please kindly tell me where does the generated vhost file for webmail reside after we configure this.
I have done the same process in new VPS server but the problem is
webmail.myserver.com now shows the ssl of my server.myserver.com
What could be the problem ??
I have exactly followed the same steps which I carried out before and it worked excellent.
I have done the same process in new VPS server but the problem is
webmail.myserver.com now shows the ssl of my server.myserver.com
What could be the problem ??
I have exactly followed the same steps which I carried out before and it worked excellent.
Last edited:
The generated files are located...
Apache Files
Nginx Files
Are the file certificate names correct?
Apache Files
Code:
/etc/apache2/plesk.conf.d/horde.conf
/etc/apache2/plesk.conf.d/roundcube.confNginx Files
Code:
/etc/nginx/plesk.conf.d/webmail.confAre the file certificate names correct?
Thank you for your kind reply.
The path was /etc/httpd/conf/plesk.conf.d/roundcube.conf
and the file has the SSL parameters I have configured.
Yes I checked they are correct
I have used the following
private.key
certificate.crt
ca.crt
It presents the valid certificate I installed for server.mydomain.com ...
So what could be the problem ?
The path was /etc/httpd/conf/plesk.conf.d/roundcube.conf
and the file has the SSL parameters I have configured.
Yes I checked they are correct
I have used the following
private.key
certificate.crt
ca.crt
Code:
SSLEngine on
SSLVerifyClient none
SSLCertificateKeyFile "/usr/local/psa/var/certificates/private.key"
SSLCertificateFile "/usr/local/psa/var/certificates/certificate.crt"
SSLCACertificateFile "/usr/local/psa/var/certificates/ca.crt"It presents the valid certificate I installed for server.mydomain.com ...
So what could be the problem ?
Last edited:
Stefan Becker
Basic Pleskian
But is this a bug or a feature? ;-)
Stefan
Stefan
I recently installed nginx and followed the above for nginx
It doesn't seem to work I am getting the following error please help
It doesn't seem to work I am getting the following error please help
Code:
/usr/local/psa/admin/bin/httpdmng --reconfigure-all Execution failed.
Command: httpdmng
Arguments: Array
(
[0] => --reconfigure-server
[1] => -no-restart
)
Details: [2014-08-04 16:54:43] ERR [util_exec] proc_close() failed
[2014-08-04 16:54:44] ERR [panel] Apache config (14071505830.14904200) generation failed: Template_Exception: nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/plesk.conf.d/webmail.conf:16
nginx: configuration file /etc/nginx/nginx.conf test failed
file: /usr/local/psa/admin/plib/Template/Writer/Webserver/Abstract.php
line: 75
code: 0
nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/plesk.conf.d/webmail.conf:16
nginx: configuration file /etc/nginx/nginx.conf test failedHi KamalG,
looks like you have 2 ssl_certificate directives in the template.
Hope that helps
Regards
Lloyd
looks like you have 2 ssl_certificate directives in the template.
Hope that helps
Regards
Lloyd
Similar threads
