• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved SSL Certificate for Mailman

Hi Liwindo,

first, I really hope, that you didn't used the provided files from the article to change your webmail templates on your server. Both files are old ( august, 2014 ) and don't contain necessary configuration to secure your server ( Poodle vulnerability and other vulnerabilities ) ! Please don't use provided templates from unofficial sites and ONLY use templates from Odin. Instead, please try to change things in templates on your own, so that you don't risk issues/failures/problems or even worse, you risk to implement malicious code inside your templates!!!


Back to your question for mailman:

You could try to modify the file "/usr/local/psa/admin/conf/templates/default/server/mailman.php" and use the suggestions from your mentioned article, to fit your needs.
As for example:
  1. copy the desired template from "/usr/local/psa/admin/conf/templates/default/server/" to "/usr/local/psa/admin/conf/templates/custom/server/" ( please be aware, that the folder "custom" and the subfolder "server" doesn't exist in a standard configuration. Please create both, before copying the file! )
  2. As well, you should be aware, that the path "/opt/psa/..." is used in a Debian/Ubuntu environment, while CentOS/RHEL - based systems use the path "/usr/local/psa/..." - but Debian/Ubuntu- based systems have a symlink for "/usr/local/psa" to "/opt/psa", so that all commands with the path "/usa/local/psa/..." will work as well, like commands for Debian/Ubuntu - based systems "/opt/psa/...". To avoid issues/problems, you should always convert suggestions defined for "/opt/psa/" to "/usr/local/psa/", or the other way round, depending what operating system you use.
  3. Back to your mentioned article, the author changed in roundcube.php
    PHP: 
    ...
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile "<?php echo $ipAddress->sslCertificate->ceFilePath ?>"
...
    to
    PHP: 
    ...
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateKeyFile "/opt/psa/var/certificates/cert-RwZHgO"
    SSLCertificateFile "/opt/psa/var/certificates/cert-RwZHgO"
    SSLCACertificateFile "/opt/psa/var/certificates/cert-qq8usK"
...
    Now please compare this modification for mailman.php and you will see, that there is as well a part
    PHP: 
    ...
        SSLEngine on
        SSLVerifyClient none
        SSLCertificateFile "<?php echo $VAR->server->defaultSslCertificate->ceFilePath ?>"
...
    which you have to change, in order to use a specific certificate. Please modify your custom mailman.php at "/usr/local/psa/admin/conf/templates/custom/server/mailman.php" with the suggested example additions above, save the file and reconfigure your webserver with the command "/usr/local/psa/admin/sbin/httpdmng --reconfigure-all" to rebuild your configuration files.
  4. NOTE: Please be aware that the above example will NOT fit your own certificate files. Plese read the mentioned german article to investigate your very own certificate files and use these!!!

You are not yet done yet, sorry. Please visit the official Mailman - Wiki and read carefully the suggestions and workarounds for the HTTPS - usage at:




Please report any issues/failures/problems, and include as well log - files and define your used Plesk version ( incl. MU ) and the operating system, so that investigations could be done faster.
 
Thanks, that helps so much!
I've found the stuff about the last step from the mailman documentation myself, but not the rest. Is it a part of the regular documentation and I've just overseen it?
 
Hi Liwindo,

no, there is no "official" documentation, how-to secure roundcube and/or mailman over HTTPS But the Odin forum ( hint: Odin forum SEARCH ) contains quite a lot of suggestions and the Odin KnowledgeBase has as well solutions for this and that. And last but not least, you always have the choice to open a new thread, if you have questions and helpfull people will try to investigate your issue/failures/problems with you and answer your questions. ;)
 
An additional problem is the correct configuration for nginx. I guess that nginxVhosts.php has to be customized. Could anynone help me?
 
Ok the solution was easier than i thought. Just add the following code into the nginxVhosts.php.

PHP: 
<?php /** @var Template_VariableAccessor $VAR */ ?>
<?php foreach ($VAR->server->ipAddresses->all as $ipAddress): ?>
server {
    listen <?php echo $ipAddress->escapedAddress . ':' . $OPT['frontendPort'] . ($OPT['ssl'] ? ' ssl' : '') ?>;
    server_name lists.*;

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             /opt/psa/var/certificates/cert-name;
    ssl_certificate_key         /opt/psa/var/certificates/cert-name;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      /opt/psa/var/certificates/cert-name;
<?php       endif ?>
    ssl_session_timeout         5m;

<?php if (get_param('disablesslv3')): ?>
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
<?php else: ?>
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
<?php endif ?>
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
<?php   endif ?>
<?php endif ?>

    client_max_body_size 128m;

    location / {
<?php if ($OPT['ssl']): ?>
        proxy_pass https://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort'] ?>;
<?php else: ?>
        proxy_pass http://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort'] ?>;
<?php endif ?>
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

<?php endforeach; ?>
 
does this work in onyx too?
i tried it, but the lists.otherdomain.com address don't use my manual configured certificate
or is there a new option in onyx, how i use certs with mailinglists under different domains?
also hows supporting letsencrypt for lists?

i tried also to use a cert on my domain itself, that covers lists.otherdomain also, but it worked once and now lists are going back to use my main domain cert. strange thing...
 
Sure it works. Here's the code for the template mailman.php:
PHP: 
<?php
    $ipAddresses = $VAR->server->ipAddresses->all;
    $ipLimit = $VAR->server->webserver->apache->vhostIpCapacity;
?>

<?php for($ipAddress = reset($ipAddresses); $ipAddress; $ipAddress = next($ipAddresses)): ?>
<VirtualHost <?php
    echo "{$ipAddress->escapedAddress}:{$VAR->server->webserver->httpPort}";
    for ($n = 1; $n < $ipLimit && $ipAddress = next($ipAddresses); ++$n) {
        echo " {$ipAddress->escapedAddress}:{$VAR->server->webserver->httpPort}";
    }
    echo $VAR->server->webserver->proxyActive ? " 127.0.0.1:{$VAR->server->webserver->httpPort}" : '';
    ?>>
    DocumentRoot "<?php echo $VAR->server->webserver->httpDir ?>"
    ServerName lists
    ServerAlias lists.*
    UseCanonicalName Off

<?php foreach ($VAR->server->mailman->scriptAliases as $urlPath => $filePath): ?>
    ScriptAlias "<?php echo $urlPath ?>" "<?php echo $filePath ?>"
<?php endforeach; ?>

<?php foreach ($VAR->server->mailman->aliases as $urlPath => $filePath): ?>
    Alias "<?php echo $urlPath ?>" "<?php echo $filePath ?>"
<?php endforeach; ?>

    <IfModule mod_ssl.c>
        SSLEngine off
    </IfModule>

RewriteEngine on
RewriteCond %{HTTPS}        off [NC]
RewriteRule ^/mailman(/.*)  https://%{HTTP_HOST}/mailman$1   [L,R=permanent]
RewriteRule ^/cgi-bin/mailman(/.*)  https://%{HTTP_HOST}/cgi-bin/mailman$1   [L,R=permanent]

<?php echo $VAR->includeTemplate('domain/PCI_compliance.php') ?>

    <Directory <?php echo $VAR->server->mailman->varDir ?>/archives/>
        Options FollowSymLinks
    <?php if ($VAR->server->webserver->apache->useRequireOption): ?>
        Require all granted
    <?php else: ?>
        Order allow,deny
        Allow from all
    <?php endif; ?>
    </Directory>

</VirtualHost>
<?php endfor; ?>

<IfModule mod_ssl.c>
<?php for($ipAddress = reset($ipAddresses); $ipAddress; $ipAddress = next($ipAddresses)): ?>
<?php if ($ipAddress->sslCertificate->ce): ?>
<VirtualHost <?php
    echo "{$ipAddress->escapedAddress}:{$VAR->server->webserver->httpsPort}";
    for ($n = 1; $n < $ipLimit && $ipAddress = next($ipAddresses); ++$n) {
        echo " {$ipAddress->escapedAddress}:{$VAR->server->webserver->httpsPort}";
    }
    echo $VAR->server->webserver->proxyActive ? " 127.0.0.1:{$VAR->server->webserver->httpsPort}" : '';
    ?>>
    DocumentRoot "<?php echo $VAR->server->webserver->httpsDir ?>"
    ServerName lists
    ServerAlias lists.*
    UseCanonicalName Off

<?php foreach ($VAR->server->mailman->scriptAliases as $urlPath => $filePath): ?>
    ScriptAlias "<?php echo $urlPath ?>" "<?php echo $filePath ?>"
<?php endforeach; ?>

<?php foreach ($VAR->server->mailman->aliases as $urlPath => $filePath): ?>
    Alias "<?php echo $urlPath ?>" "<?php echo $filePath ?>"
<?php endforeach; ?>

    SSLEngine on
    SSLVerifyClient none
    SSLCertificateKeyFile "YOUR_SSL_FILE"
    SSLCertificateFile "YOUR_SSL_FILE"
    SSLCACertificateFile "YOUR_SSL_FILE"

    Header always set Strict-Transport-Security "max-age=315360000"

<?php echo $VAR->includeTemplate('domain/PCI_compliance.php') ?>

    <Directory <?php echo $VAR->server->mailman->varDir ?>/archives/>
        Options FollowSymLinks
    <?php if ($VAR->server->webserver->apache->useRequireOption): ?>
        Require all granted
    <?php else: ?>
        Order allow,deny
        Allow from all
    <?php endif; ?>
    </Directory>

</VirtualHost>
<?php endif; ?>
<?php endfor; ?>
</IfModule>
 
Last edited:
And for the nginxvhosts.php it's
PHP: 
<?php /** @var Template_VariableAccessor $VAR */ ?>
<?php /** @var array $OPT */ ?>
<?php /** @var Template_Variable_IpAddress $ipAddress */ ?>


<?php foreach ($VAR->server->ipAddresses->all as $ipAddress): ?>
server {
    listen <?php echo "{$ipAddress->escapedAddress}:{$OPT['frontendPort']}" .
        ($ipAddress->isIpV6 ? ' ipv6only=on' : '') .
        ($OPT['ssl'] ? ' ssl' : '') ?>;

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             <?php echo $sslCertificate->ceFilePath ?>;
    ssl_certificate_key         <?php echo $sslCertificate->ceFilePath ?>;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      <?php echo $sslCertificate->caFilePath ?>;
<?php       endif ?>
<?php   endif ?>
<?php endif ?>

<?php echo $VAR->includeTemplate('service/nginxSitePreview.php') ?>

    location / {
<?php if ($OPT['ssl']): ?>
        proxy_pass https://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort']; ?>;
<?php else: ?>
        proxy_pass http://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort']; ?>;
<?php endif ?>
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

<?php endforeach; ?>

<?php foreach ($VAR->server->ipAddresses->all as $ipAddress): ?>
server {
    listen <?php echo $ipAddress->escapedAddress . ':' . $OPT['frontendPort'] . ($OPT['ssl'] ? ' ssl' : '') ?>;
    server_name lists.*;

<?php if ($OPT['ssl']): ?>
<?php $sslCertificate = $ipAddress->sslCertificate; ?>
<?php   if ($sslCertificate->ce): ?>
    ssl_certificate             YOUR_SSL_FILE;
    ssl_certificate_key         YOUR_SSL_FILE;
<?php       if ($sslCertificate->ca): ?>
    ssl_client_certificate      YOUR_SSL_FILE;
<?php       endif ?>
    ssl_session_timeout         5m;
<?php   endif ?>
<?php endif ?>

<?php echo $VAR->includeTemplate('service/nginxSitePreview.php') ?>

    location / {
<?php if ($OPT['ssl']): ?>
        proxy_pass https://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort']; ?>;
<?php else: ?>
        proxy_pass http://<?php echo $ipAddress->proxyEscapedAddress . ':' . $OPT['backendPort']; ?>;
<?php endif ?>
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

<?php endforeach; ?>
 
You must log in or register to reply here.

Similar threads

Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
3K
Peter Debik
P
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
305
futureweb
futureweb
A
Question Change used Subdomain or SSL for Mailman
Replies
0
Views
543
abdelAT
A
K
Question How do I restore an SSL Certificate on a different server?
Replies
4
Views
497
Kroptokin
K
D
Issue can only create webmail certificates
Replies
1
Views
402
deepnpisgah
D
Back
Top