Configure SSL/TLS to Secure SmarterMail

This article applies to recent versions of SmarterMail. View articles for SmarterMail 15.x and earlier.

SSL/TLS are security protocols that allows the transmission of data to be encrypted. This allows users to access email through a third-party email client without the fear that someone has intercepted their data. SSL will encrypt the connection immediately upon connection. TLS will encrypt once the STARTTLS command is sent. TLS will need to be set up over port 25, 110, 143 and SSL over ports 465, 993, and 995.

NOTE: This article assumes you have obtained a copy of your certificate's from your SSL provider and have installed them on your server within your certificate stores personal folder. If you have not done this, please do so prior to following the directions below.

Prior to configuring SmarterMail to be secured over SSL or TLS, the SSL certificate installed on the server must first be exported to a Base-64 Encoded certificate that is readable by SmarterMail.

Follow these steps to export your SSL certificate to a Base-64 encoded certificate file:

  1. Sign into the Windows server in which SmarterMail is installed
  2. Click Start, select Run
  3. Type MMC, press enter.
  4. Navigate to File -> Add\Remove Snap ins
  5. In the available snap-ins column select Certificates and hit Add
  6. A new window will appear, choose Computer account and hit next.
  7. Ensure local computer is selected and hit finish.
  8. Now there will be a certificate tree view, expand Personal, and choose certificates.
  9. Right click the certificate in which you wish to export -> All Tasks -> Export.
  10. A new window will appear, hit next.
  11. Do not export private key’s -> Next
  12. Save as a base64 x509 .cer file -> Next
  13. Choose a save location such as C:\SmarterMail\Certificates\<SiteName> - Name the certificate, click Save.

Follow these steps to add a port to listen over SSL or TLS:

  1. Log in to SmarterMail as the system administrator.
  2. Click the Settings icon.
  3. Click Bindings in the navigation pan and click the Ports tab.
  4. Click New in the content pane.
  5. Complete the following required fields: Protocol, Encryption (SSL or TLS), Name, Port and Certificate Path. All other fields are optional.
  6. Select the IP Address for the port to listen on.
  7. Click Save.

NOTE: Using similar steps as above, modify your existing port 25 to be encrypted with SSL or TLS.  

Learn more about SmarterMail's enterprise email features and benefits.

Feedback

Add Feedback
This is either missing critical information or SmarterMail 11 is broken. All I get is "Certificate is invalid" even though I use the same multi-domain ev-certificate for my other domains without a problem.
Michael Hartmann (September 4, 2013 at 6:38 PM)
Michael - make sure the certificate is exported per the method described by your CA. The multi-domain cert isn't a problem as we have many customers running SmarterMail with standard UCC certs. If you're still having issues, it may be worthwhile to start a support ticket.
Derek Curtis (September 5, 2013 at 1:35 PM)
The TLS description contains a typo. TSL instead of TLS.
Thomas Stensitzki (January 5, 2014 at 7:08 AM)
Thanks. Got it fixed.
Derek Curtis (January 7, 2014 at 1:56 PM)
Any ideas when SM will support TLS 1.2? Currently it seems to do 1.0
Rubal Jain (June 20, 2014 at 5:13 PM)
Hi Rubal,

As a software developer, we have to support as many platforms as possible. A number of customers are still on legacy platforms that don't allow an upgrade to .NET 4.5 so we have to allow for those customers and only offer TLS 1.0. However, we will eventually move to .NET 4.5 only to take advantage of the many improvements available to us as well as to our customers. Once that transition is planned we will be sure to let everyone know.

Andrea Rogers (June 23, 2014 at 9:55 AM)
I think one note missing is that the Certs private key has to be in the Personal folder or when testing the Cert it will not work.
J Lee (August 13, 2014 at 12:24 PM)
Thanks J, I've modified the note within the KB article to reflect this.
Von-Austin See (November 24, 2014 at 8:15 AM)
Hi - this has always confused me - The certificate - what domain does it need to be in? Or can you get a certificate for the IP Address??
Gary Hanley (November 24, 2014 at 1:35 AM)
Gary,

The certificate is applied to the server itself within the Certificate Store for the local computer account. There is no specific domain that the certificate needs to reside under.

You can register this certificate for any valid FQDN. So for example, we have many customers who utilize a secure.domain.com DNS record and purchase a standard SSL certificate for secure.domain.com. They then tie this certificate within SmarterMail and for their clients that need SSL\TLS access they would then point them to secure.domain.com for SMTP\POP\IMAP over SSL\TLS.

Once the certificate has been installed onto your server after obtaining a copy from your SSL certificate provider you will want to follow the instructions for exporting the certificate into a base-64 formatted .cer file.

This CER file is then tied to your SmarterMail SSL ports that you configure under Settings -> Bindings -> Ports

You can then tie these SSL ports to specific IP addresses under Settings -> Bindings -> IP Addresses.

I hope this helps.

Von-Austin See (November 24, 2014 at 8:12 AM)
Do you need to buy or pay for the certificate? There is some mixed info on this. Please read this: https://luxsci.com/blog/do-i-need-to-buy-an-ssl-certificate-to-use-secure-email.html
Michael Barber (February 11, 2015 at 10:55 AM)
I followed these instructions, but still got stuck when trying to connect via TLS IMAP
It's not made clear you have to have both a TLS port 143 and a standard port 143 bound to the IP address and then select the TLS one
I followed these instructions to solve my problem
https://portal.smartertools.com/community/a2092/thunderbird-fails-using-ssl-tls.aspx

Knud Nexo (May 20, 2015 at 5:52 PM)
Using the instructions in this post, I got TLS and SSL working on a Windows 2003 box under IIS over a year ago. My current ports are viewable at https://charlesworks.com/SmarterMail-Port-Bindings.jpg as they are set up now. If this setup needs alteration please advise.

I moved SmarterMail 13.5 from a Windows 2003 box to a Windows 2011 Essentials box.

Two issues:

1. When the Windows 2011 Essentials box is rebooted, the https://mega.charlesworks.com (running under IIS) serves up a 404 error. I must manually go in to the SmarterMail site management Bindings and select the HTTPS, pretend to edit it, and close so it will work again.

2. SmarterMail is not available over the SSL or TLS ports and is throwing errors to everyone whose clients were set up to use those.

I presume I did not set up something correctly and any ideas would be greatly appreciated.

Thanks!

CharlesWorks (August 9, 2015 at 7:15 AM)
Hi Charles! Please consider submitting a ticket to our support team to further troubleshoot these issues. Thank you!
Andrea Rogers (August 11, 2015 at 4:10 PM)
So if we have a mail server hostname of mail.myserver.com do we need to buy an SSL certificate for mail.myserver.com?

We already have a SSL certificate like secure.myserver.com which doesn't match our mail server address that we use for a web site.

So far no luck using these directions. We're testing using IMAP and have verified the 993 port is open on the firewall, and followed the directions above.

We'd like to use our existing certificate we have that starts with secure.

ActorMike (August 25, 2015 at 1:56 PM)
Mike,

You should still be able to utilize the secure.myserver.com SSL certificate to secure your ports. However, many clients will report validation errors. Some mail servers will outright refuse to deliver mail securely to your server if your mail servers hostname does not equal that of the SSL certificate, although this is pretty rare.

I personally would recommend purchasing a new standard SSL certificate to use specifically for the hostname of your mail server for example, mail.mydomain.com. This will ensure when your customers\clients hit the server, they will be allowed in without a security warning prompting you to accept a mismatching certificate.

If you'd like to secure multiple hostnames such as pop.mydomain.com smtp.mydomain.com etc, you can do so with a Wildcard Certificate.

If you'd like to secure multiple hosts across many domain such as mail.domainA.com, mail.domainB.com etc a UCC (Unified Communications Certificate) is recommended.

In regards to having no luck with these directions, these will work in 99% of environments but edge cases do happen and we will be glad to look into this further for you, you would just need to open a support ticket with us and we can assist you in identifying where this process is failing.

SmarterMail 14 does support PFX certificates. So instead of exporting the cert as a base 64 without the private key per these instructions, you may want to try to export this as a PFX containing the private key, and password protecting it. Then point your SmarterMail ports to the PFX file and enter in the password information and test by verifying the certificate.

You can then test SSL\TLS communications with these ports by utilizing an e-mail client, or OpenSSL. A decent writeup on connecting via SSL\TLS for various mail ports can be found here: https://www.thatsgeeky.com/2011/01/using-telnet-with-an-smtp-server/

I hope this helps.

Von-Austin See (August 25, 2015 at 4:29 PM)
Hello Von-Austin See,
thank you very much! I am Facing the same issue - it won't work with an SHA256 issued Zertifikate when i go through the steps described from Smartertools here!
When i export my zertifikat with the primary key inkluded (and passord protected) i can use it for the bindings and let them work ^^

Where do you got the information that SM14 now supports PFX Files also? I cannot find any hint in the release notes :(

WebControl GmbH (August 27, 2015 at 3:42 AM)
Is it possible to use two different certificates at the same time?
mail.server.com is used for shared ssl for all domains, but what if one domain (mail.example.com) wants to use their own certificate instead of mail.server.com ?

Erick Monroy (February 13 at 11:50 PM)
Hi Erick! You can definitely achieve that type of setup within SmarterMail. This thread from our user Community provides some good instruction on that configuration. Please check it out and let me know if you have any other questions!

"How do I add SSL to multiple domains in Smartermail?" - http://portal.smartertools.com/community/a393/how-do-i-add-ssl-to-multiple-domains-in-smartermail.aspx

Andrea Rogers (February 14 at 11:58 AM)

Add Feedback