Help & Documentation

Install Mail Server Certificate Inside Web Container

Beginning in v7.1.0, MI verifies the mail server's SSL/TLS certificate before sending emails. This requires additional configuration if:

You use a self-signed certificate (where the internal Certificate Authority (CA) is not trusted by the MI server).
You use a mail relay where the relay name does not match the mail server's name in the SSL certificate.

This article describes certificate configuration to ensure the web container can trust the mail server certificate and successfully send emails.

Table of contents:

Access the command line, then concatenate the previously exported certificates into one file.

NOTE: Place the intermediate certificate first, followed by the root certificate.

cat Intermediate_CA.pem Root_CA.pem > Root_CA_Inter_TLS.pem

This creates a combined certificate file named Root_CA_Inter_TLS.pem.

cd /opt/mi/ssl/ca-certificates/web

Remove any unused or miscellaneous certificates, keeping only the combined certificate file you just created.

Change the combined certificate file's extension to .crt:

mv Root_CA_Inter_TLS.pem Root_CA_Inter_TLS.crt

After making these changes, restart the web container to apply the updated certificates:

restart web

Once restarted, test email sending again.

See Troubleshooting Mail Server Certificates for details on determining the missing certificates.
For other tips on email troubleshooting, see Troubleshooting Email Connectivity - Sending Emails.

Run the following command inside the web container to inspect the certificate chain:

openssl s_client -starttls smtp -crlf -connect <mail_host>:25

This command will display the certificate chain and reveal any missing intermediate certificates.