How do I add SSL to multiple domains in Smartermail?
Question asked by Bruce Earnest - 9/14/2014 at 8:37 PM
Answered
I have two clients that want to enable SSL on their domains, how do I add their certificates and attach them to their specific domain?

10 Replies

Reply to Thread
0
Bruce Barnes Replied
Marked As Answer
we run all of our domains under SSL, with a single IP address.
 
Host headers in SmarterMail handle segregation of domains on IP address.
 
IIS handles the interface to the web and everything else is setup in DNS and via mapping of ports to IP address, single hostname to IP address mapping in SmarterMail.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Omar Cassara Replied
Thanks Bruce, can you explain how did you do?
0
Bruce Barnes Replied
I can post a brief explanation here, but this assumes a good, solid, working knowledge of the following items:
 
  • IIS
  • DNS
  • IIS FORWARDING
We run a single IP address
 
ALL HOSTED DOMAINS MUST BE CONFIGURED TO USE THE SAME IP ADDRESS IN SMARTERMAIL
DISABLE the ENABLE PRIMARY IP ON FAILURE setting in SMTP OUT.
 
The PORTS are configured per the diagram and settings referenced here:
 
 
 
The public FQDN (fully qualified domain name) of our SSL SmarterMail connection is "securemail.chicagonettech.com"
 
​Our primary IIS interface is SSL, and located at https://securemail.chicagonettech.com
 
Using the URL of any of our hosted domains forwards the request to https://securemail.chicagonettech.com
 
This handles all of the web access.
 
For the client (Outlook, Thunderbird, SmartPhone, Tablet, laptop, etc) access, all calls, POP, IMAP, and SMTP are made to securemail.chicagonettech.com - no matter what the client's domain name is.
 
The client the uses his or her e-mail address and password as their login information, just like they do when accessing via a web interface.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Shane Hollis Replied
I can understand how apache or iis can be set up with Virtual domains so companyone.com resolves to the same IP address as http://securemail.chicagonettech.com  and a multi name SSL cert is set up  but  
  • Does that cause issues with Auto discovery when companyOne.com autodiscovers their mail server and connects only to be told it is now at securemail.chicagonettech.com
  • The autodiscover for mail - it must change domain names in the process giving an you were looking for CompanyOne.com but have connected to securemail.chicagonettech.com   type error or warning.
0
Hemen Shah Replied
Hi Bruce, Thank you once again for all the hard work and keep the document updated and helping all. I wanted to know how can i forward all domains to get redirected to our ssl URL clients by default would be using mail.zzz.com i want this to be redirected to https://mail.yyy.com Thanks
0
David Jamell Replied
So is there an answer to the original question?  What if I have clients who want their own, private IP Address and want a private TLS/SSL Certificate bound to their domain/IP?
 
Can I have three clients (domains), with three certificates, and three IP Addresses coexist in the same installation?
0
Steve Reid Replied
Smartermail can handle that no problem.
0
Jason Sherrill Replied
In 13.2, I'm curious how this could be setup? Suppose you have two domains:
 
1) mail.domain2.com bound to 10.1.1.2
 
2) mail.domain3.com bound to 10.1.1.3
 
While each domain can be bound to an IP within SmarterMail, when in Security > Bindings > Ports, there is no setting to bind port 465 independently to each IP so therefore only one SSL certificate can be bound to the SMTP port listening on 465. The only way I can see this working is if you assign a different alternate port for each protocol to which an SSL cert will be bound for the second domain.
 
Am I overlooking something?
 
Thanks!
 
Jason
0
Scarab Replied
The only way to avoid using alternate ports (which would be problematic for customer-side firewalls) would be to use a Multi-Domain Certificate, which is how MS Exchange handles doing such. You would have one certificate that has each individual domain listed in Subject/Issued To field. So the certificate would be registered with 3 names: mail.domain1.com (your Mail Server's domain) mail.domain2.com (customer's domain) mail.domain3.com (customer's domain) No matter which of these domain is used the Certificate is considered valid. Multi-Domain Certificates are limited to a maximum of 100 domains per certificate and are generally much more expensive for a handful of domains than Single Domain Certificates.
0
Bruce Barnes Replied
The  ports are bound, independently, to the IP addresses.
 
The IP addresses are then mapped to the host names.
 
So long as the OP has enough IP addresses, and his clients are willing to spend the money on the cost of the certificates, this is not a problem and can be handled by SmarterMail, using the standard IP addresses.  There's no reason to do custom port number mappings.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread