I have SmarterMail running with multiple domains using nginx. After SmartTools helped me resolve the status indicator spinner issue, I decided it might be helpful to some of you to see what I've done that works, and hopefully some of you that have more experience with linux and nginx can point out mistakes or better practices to me. My work is based on the sample SmarterTools provided and various samples on the web.
This is an Ubuntu 24.04 server install. I am not going to detail all the steps to install nginx, there's plenty on the internet for that. I created the directories for the certificates shown in my site file below, and I am using Certify the Web on a windows machine with a post-deployment task to sftp the certificates to those directories. You can't use a .pfx with nginx, so you'll want the chain (primary certificate + intermediate) in pem format. I intend to get certbot working, but since I already have a functioning CTW config, I went with that for now.
I created the site file smartermail in the /etc/nginx/sites-available directory, containing:
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri; #permanent redirect to https
}
server {
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; #HSTS - Start with a shorter value and make sure everything works first
server_name mail1.domain1.com;
ssl_certificate /etc/nginx/ssl/certs/domain1.com.chain; #point to your actual certs
ssl_certificate_key /etc/nginx/ssl/private/domain1.com.key;
location / {
proxy_pass http://localhost:17017;
proxy_redirect http://localhost:17017 https://mail1.domain1.com; #I don't think this line is needed, doesn't seem to do anything
}
}
server {
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_name webmail.domain2.com www.webmail.domain2.com;
ssl_certificate /etc/nginx/ssl/certs/domain2.com.chain;
ssl_certificate_key /etc/nginx/ssl/private/domain2.com.key;
location / {
proxy_pass http://localhost:17017;
proxy_redirect http://localhost:17017 https://$host$request_uri; #I don't think this line is needed
}
}
server {
listen 443 ssl http2;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_name webmail.domain3.com www.webmail.domain3.com;
ssl_certificate /etc/nginx/ssl/certs/domain3.com.chain;
ssl_certificate_key /etc/nginx/ssl/private/domain3.com.key;
location / {
proxy_pass http://localhost:17017;
proxy_redirect http://localhost:17017 https://$host$request_uri; #I don't think this line is needed
}
}
Be sure to substitute your own domain names and cert names.
Then create a symbolic link to that file in /etc/nginx/sites-enabled (and while you're there, delete the symlink in sites-enabled for default).
Next I created smartermail.conf in /etc/nginx/conf.d containing:
# Additional configuration for SmarterMail
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
# Proxy settings
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# Buffer settings
proxy_buffer_size 4096k;
proxy_buffers 8 4096k;
proxy_busy_buffers_size 4096k;
# Timeouts
proxy_connect_timeout 1200s;
proxy_send_timeout 1200s;
proxy_read_timeout 1200s;
# SSL Offloading
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
Note that the default nginx.conf in /etc/nginx contains:
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
Then, test the configuration:
sudo nginx -t
And restart nginx:
sudo systemctl restart nginx
Please feel free to comment, I'd appreciate the help.