How do I configure a mail server with SSL behind an Nginx Proxy Manager server?

Question

I have an Nginx Proxy Manager server in front of my various web-facing servers and my mail server (modoboa). The issue I'm facing is that my mail server wants the ssl_certificate for the nginx configuration locally. Where another service has some web-facing portal, I can just define a simple server context with port 80 on said server and use Nginx Proxy Manager to handle Let's Encrypt certs and 443 proxying. Currently, my work-around for the mail server is to generate the SSL certificates on the Nginx Proxy Manager server then manually copy them to the appropriate locations defined by the mail server's nginx configuration. This has several downsides, the most important of which is that these certs are rather short-lived and need renewing which then necessitates re-copying them (and remembering to do so!).

I'm sure this is an issue that is easily addressed. I would just like my Nginx Proxy Manager to be the sole SSL repository and for upstream servers like my mail server to look to it for SSL certs. I've searched extensively, however, and this seems to be particularly challenging for mail applications due to limitations on things like, e.g., streams for nginx. Hopefully someone here can point me to a simple guide for improving my network.

Network flow

The above is my current configuration. I've tried various proxy and mail context settings within nginx but have not yet found any solution to the downstream SSL issue.

Apologies if I've got my upstream/downstream terminology backwards.

Answer 1

I have the same setup. I have iRedmail setup on a separate server and NPM as a proxy for all servers. I redirect sIMAP (post 587) and sSMTP (port 143) traffic directly from my router to the iRedMail server. All other traffic goes through NPM.

All certificates are handled by the NPM lets_encrypt facilities. I move the specific certificate from NPM to iRedMail this way:

I have created ssh certificate based login on the NPM server by generating a ssh certificate on the IredMail server:

ssh-keygen

Copy the public part to NPM:

ssh-copy-id <username>@NPM-host

now the a root account on iRedMail can ssh to NPM and fecth files through a script

On NPM create a script that makes a copy of the correct lets-encrypt files from the /etc/letsencrypt/live/NPM-/ dir like

#!/bin/bash
cp /etc/letsencrypt/live/npm-xx/fullchain.pem /home/<privuser>/domainename/.
cp /etc/letsencrypt/live/npm-xx/privkey.pem /home/<privuser>/domainename/.
cp /etc/letsencrypt/live/npm-xx/chain.pem /home/<privuser>/domainename/.
cp /etc/letsencrypt/live/npm-xx/cert.pem /home/<privuser>/domainename/.

chmod 644 /home/<privuser>/domainename/*.pem

Put this in "root's" crontab file with crontab -e since only root can access and copy all of the lets-encrypt files

on the iRedMail host modify root's crontab so that you stop the letsencrypt cron job from running and replace the existing lets-encrypt files with the ones that we are going to copy from the NPM host like

#stop renewal of lets-encrypt on the mailserver
#1   7   *   *   *   certbot renew --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service d>
    
#Fetch the lets-encrypt files from NPM server
 10 11 * * * rsync -avz -e ssh <privuser@<hostIP>:/home/<privuser>/domainname/*.pem <domainname>/.

#copy the fetched files to the correct locations
11 11 * * * cp /root/<domainname>/fullchain.pem /etc/letsencrypt/archive/<domainname>/fullchain1.pem
11 11 * * * cp /root/<domainname>/privkey.pem /etc/letsencrypt/archive/<domainname>/privkey1.pem
11 11 * * * cp /root/<domainname>/cert.pem /etc/letsencrypt/archive/<domainname>/cert1.pem
11 11 * * * cp /root/<domainname>/chain.pem /etc/letsencrypt/archive/<domainname>/chain1.pem

now you have the NPM lets-encrypt certificates on the mail (or other) server.

Answer 2

Sorry, I cannot comment to answer the questions from @cyberneko2020, and I'm not the original answer author. But I can clarify if someone needs it.

First, it looks like this crontab entry was truncated by your terminal c&p, could you post the whole thing? I imagine it's a dovecot restart but not sure if you're restarting more: #1 7 * * * certbot renew --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service d> As well, I imagine it shouldn't commented out given your explanation so that's probably an errant hashmark.

This is not an error - @Jens-k is disabling an existing crontab entry, a built-in certificate renewal of iRedmail. So it's not really the point what was truncated by terminal. The line starting with certbot should be commented as we are replacing this mechanism with our custom certificate copy process.

Second, is your iRedMail server not connected to your nginxpm as root? I take it that's the reason for not accessing the certs directly.

Correct, @Jens-k is not logging in as root via SSH to nginxpm server. They have created a separate user account <privuser> on nginxpm server for this. It's a good approach from security perspective.

You'll also need to put the code that copies certificates from nginxpm to that <privuser> user directory into a script on nginxpm server, let's say /root/copycerts.sh

#!/bin/bash
cp /etc/letsencrypt/live/npm-xx/fullchain.pem /home/<privuser>/domainename/.
cp /etc/letsencrypt/live/npm-xx/privkey.pem /home/<privuser>/domainename/.
cp /etc/letsencrypt/live/npm-xx/chain.pem /home/<privuser>/domainename/.
cp /etc/letsencrypt/live/npm-xx/cert.pem /home/<privuser>/domainename/.

chmod 644 /home/<privuser>/domainename/*.pem

Then make the script file executable for root and inaccessible for others

chmod 700 /root/copycerts.sh

And, finally, add an entry to root's crontab on nginxpm server

# Run the script to copy letsencrypt certificates to user's directory for further distribution  
9 11 * * * /root/copycerts.sh