Expose public HTTPS

Make EmailEngine available over public internet

In this example we use Nginx as a proxy in front of EmailEngine to make it publicly accessible.

In general it is a bad idea to expose EmailEngine over the public internet. You should at least set up firewall rules to allow access from trusted servers only and block everything else. Let me remind you – accessing EmailEngine gives full access to the emails of all registered email accounts. Not something you'd want when integrating your customer's mailboxes.

If you have a solid use case though and make steps to ensure the security of your customer's mailboxes, you can expose EmailEngine through a HTTPS proxy service like Nginx, HAProxy, Caddy or even Apache – any web server with proxying capabilities should work.

1. Enable Basic Auth

We most definitely do not want EmailEngine to be publicly accessible without any restrictions. EmailEngine has limited support for authentication that you can enable either with a command line argument --api.auth="user:pass" or an environment variable EENGINE_AUTH="user:pass"

$ emailengine --api.auth="admin:supersecret"

The default authentication only allows to set a single user credentials, in this case the username would be "admin" and the password would be "supersecret".

2. Prepare dummy HTTPS certificates

At first we are going to create some dummy HTTPS certificates. This step is actually optional, we only do it so that we would be able to set up Nginx HTTPS virtual host before we provision actual HTTPS certificates.

$ sudo openssl req -subj "/CN=example.com/O=My Company Name LTD./C=US" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout privkey.pem -out fullchain.pem
$ sudo chmod 0600 privkey.pem
$ sudo mv privkey.pem /etc/ssl/private/emailengine-privkey.pem
$ sudo mv fullchain.pem /etc/ssl/certs/emailengine-fullchain.pem

3. Nginx virtual host config

Create a new virtual host configuration file

$ sudo vim /etc/nginx/sites-available/emailengine.conf

And paste the following configuration. Make sure to change the domain name and verify that EmailEngine's HTTP port would be correct one (defaults to 3000):

server {
    listen 80;
    listen 443 ssl http2;

    server_name example.com; # <- change this domain name

    ssl_certificate_key /etc/ssl/certs/emailengine-fullchain.pem;
    ssl_certificate /etc/ssl/certs/emailengine-fullchain.pem;

    location / {
        client_max_body_size 50M;
        proxy_http_version 1.1;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:3000; # <- use EmailEngine's HTTP port
    }

    # Enforce HTTPS
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
}

Next we would have to enable the configuration.

sudo ln -s /etc/nginx/sites-available/emailengine.conf /etc/nginx/sites-enabled/emailengine.conf

Also verify that Nginx configuration does not include any errors. Otherwise reloading or restarting it would actually stop the Nginx service.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

And finally apply the new config.

$ sudo systemctl reload nginx

At this point if you'd open the domain name in your browser it should show you EmailEngine's page. Except you are still using the dummy HTTPS certificates so in most cases you'd see the invalid certificate warning instead.

4. Provision HTTPS certificates

In this example we'll be using acme.sh for provisioning HTTPS certificates from Let's Encrypt.

If you do not have it installed you can do it easily like the following (in this example we would be performing all acme.sh related operations as root)

$ sudo su
$ cd
$ curl https://get.acme.sh | sh -s email=my@example.com

Make sure to use your actual email address

Once we have acme.sh installed and set up we can provision the certificates (must run as root):

$ /root/.acme.sh/acme.sh --issue --nginx --server letsencrypt \
    -d example.com \
    --key-file       /etc/ssl/private/emailengine-privkey.pem  \
    --ca-file        /etc/ssl/certs/emailengine-chain.pem \
    --fullchain-file /etc/ssl/certs/emailengine-fullchain.pem \
    --reloadcmd     "/bin/systemctl reload nginx"

Replace example.com with the domain name of your virtual host.

Acme.sh will be renewing these certificates automatically so in best case scenario you will never have to deal with these certificates again.

Unless something went completely wrong you should now have EmailEngine publicly accessible. Additionally you can find a more thorough Nginx virtual host configuration example for EmailEngine here.