ISPmanager 6 Lite, Pro, Host Documentation

SSL certificates for mail domains


Managing SSL certificates for mail domains

You can use an SSL-certificate for every domain.

When you create or edit a domain, select the Secure connection (SSL) checkbox.

You will see a list of available SSL-certificate. If they are not found, you will be able to generate a self-signed certificate.


Certificates can be used for domains only with Exim and Dovecot configured.

Setup and configuration


Attention! Default activation of SSL-certificates on mail domains is enabled only for new installations. That's why when you update the already install control panel, you will need to set up it manually.

  • Navigate to the /usr/local/mgr5/etc/ispmgr.conf.d directory, and edit two files:

exim.conf. Add the following string at the end of the configuration file:

path exim-certdir /path_to_exim/ssl

dovecot.conf. Add the following string at the end of the configuration file:

path dovecot-certconf /path_to_dovecot/certs
  • Edit the Dovecot configuration file

/path_to_dovect/conf.d/10-ssl.conf. Add the following information:

ssl = yes
ssl_cert = </etc/exim/ssl/exim.crt
ssl_key = </etc/exim/ssl/exim.key
!include_try /path_to_dovecot/certs/*.conf
  • Edit the Exim configuration file:

/path_to_exim/exim.conf. Edit the SSL settings:

log_selector =  \
       +all_parents \
       +lost_incoming_connection \
       +received_sender \
       +received_recipients \
       +tls_cipher +tls_peerdn +tls_sni \
       +smtp_confirmation \
       +smtp_syntax_error \

 tls_advertise_hosts = *
 tls_certificate = ${if exists{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/${tls_sni}.crt}{/etc/exim/ssl/exim.crt}}
 tls_privatekey = ${if exists{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/${tls_sni}.key}{/etc/exim/ssl/exim.key}}
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465

Location of certificates

By default all user certificates are located in /var/www/httpd-cert/user_name.

After domain registration or creation, certificates will be activated as follows:

Exim — copies of the certificate and key are created in the /path_to_exim/ssl directory

named domain_name.crt and domain_name.key

Dovecot — symlinks to the certificate and key are created in the /etc/email/certs directory

named domain_name.crt and domain_name.key correspondingly.

The domain_name.conf configuration files are created in the /path_to_dovecot/certs directory with the following strings:

local_name domain_name {
       ssl_cert = </etc/email/certs/domain_name.crt
       ssl_key = </etc/email/certs/domain_name.key

Editing top-level certificate

During preliminary setup of Exim and Dovecot, a single, "top-level" certificate is activated. A server administrator can edit it.

ISPmanager Lite (Pro, Host)

Navigate to Domains ->Mail domains and click the SSL certificate button.

On the form that will open, you will see the SSL certificate, its key and chain will be displayed. You can edit those data and save the result.

ISPmanager Business

Navigate to Cluster settings ->Cluster nodes. The SSL certificate button will get activated after you assign a mail role to that cluster node. Then you can perform the same operations as in ISPmanager Lite (Pro, Host).

Connecting Let's Encrypt certificates

To connect a Let's Encrypt SSL certificate to email domains:

  1. Get a Let's Encrypt certificate. Enter Web-server settingsSSL certificatesLet's Encrypt button. You can use a wildcard certificate for your mail domains.
  2. Enter DomainsMail domains → select the domain → Website management → Website settings → enable Secure connection (SSL) → select the issued Let's Encrypt certificate → Ok.

Read more about how Let's Encrypt certificates work in Integration with Let’s Encrypt.

Thank you for your feedback!
Was the article useful?
Tell us why not:

it does not match the title

it was hard to understand

I didn't find the answer

recommendations from the article did not help


Tell us what you didn't like in the article: