SHA256 Hash Support
Idea shared by James Grangeia - December 22, 2014 at 1:38 PM
So my SSL provider sent out an email suggesting I reissue my certs utilizing the SHA256 signature hashing algorithm as they are trying to migrate people off of certs issued with SHA1.  I have created the cert (still using the standard RSA key) and it works fine for use on the IIS Webserver but it isn't yet compatible with Smartermail due to the fact that certs utilizing SHA256 utilize a different CSP (My guess anyway).  I imagine eventually smartertools will support these certs as they become more mainstream but I was wondering when that might occur?

5 Replies

Reply to Thread
I can't give you the specific answer to your individual problem, but I assure you SmarterMail supports SHA256 certificates. I currently use SHA256withRSA.  
Check your Bindings in SmarterMail to assure you have added the proper SSL/TLS ports and make sure you have put a copy of the certificate in a folder in your SmarterMail installation folder.
It sounds like you forgot to export your SSL Certificate to BASE 64 encoded X.509 (.cer) format in your Windows Server Certificate Manager. Webmail running under IIS can use the SSL Certificate straight from your Certificate Authority, but all other Mail Services require the SSL Certificate to be exported to a different format and saved to the location defined in Smartermail (SETTINGS > BINDINGS > PORTS).
As long as you are running Windows Server 2008 or higher you should be able to use SHA256 Certificates just fine (WinServer 2003 only supports SHA1).
    Thank you for the suggestions.  Unfortunately those suggestions while valid don't solve my particular  issue.  While I haven't found the exact cause I did find that TLS version 1.0 is the only TLS version that will be negotiated.  I have SmarterMail deployed on a Win 2008 R2 server and while the IIS portion of the server suports TLS protocol version 1.2 negotiation the SmarterMail SMTP listener does not...  I am not sure if there is a config option to enable TLS 1.1 and 1.2 within SmarterMail but I am thinking the root cause is related...  I guess I should make a new suggestion to support the newer TLS versions as well...
Guys you must of missed the fact that I already have Schannel TLS 1.2 enabled and I have verified the fact by testing the IIS 7.5 webmail  interface.  This does not change the fact that TLS 1.2 is not enabled on the Smartermail SMTP listener...  The system supports it but SmarterMail does not and that is what I am trying to enable.
Very cool site to verify ciphers and TLS version.
Feel free to utilize a throw away SMTP email addy on it.  It takes awhile to get results but you can check back later and see the results and the evidence of the checking in your SMTP logs.

Reply to Thread