How do I add SSL to multiple domains in Smartermail?

Question asked by Bruce Earnest - 9/14/2014 at 8:37 PM

Answered

I have two clients that want to enable SSL on their domains, how do I add their certificates and attach them to their specific domain?

10 Replies

Reply to Thread

Bruce Barnes Replied

9/18/2014 at 3:14 PM

Marked As Answer

we run all of our domains under SSL, with a single IP address.

Host headers in SmarterMail handle segregation of domains on IP address.

IIS handles the interface to the web and everything else is setup in DNS and via mapping of ports to IP address, single hostname to IP address mapping in SmarterMail.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Omar Cassara Replied

10/23/2014 at 1:43 PM

Thanks Bruce, can you explain how did you do?

Bruce Barnes Replied

10/24/2014 at 5:09 AM

I can post a brief explanation here, but this assumes a good, solid, working knowledge of the following items:

IIS
DNS
IIS FORWARDING

We run a single IP address

ALL HOSTED DOMAINS MUST BE CONFIGURED TO USE THE SAME IP ADDRESS IN SMARTERMAIL

DISABLE the ENABLE PRIMARY IP ON FAILURE setting in SMTP OUT.

The PORTS are configured per the diagram and settings referenced here:

https://portal.chicagonettech.com/kb/a55/configuring-ports-to-use-ssl-tls-to-secure-smartermail.aspx

The public FQDN (fully qualified domain name) of our SSL SmarterMail connection is "securemail.chicagonettech.com"

Our primary IIS interface is SSL, and located at https://securemail.chicagonettech.com

Using the URL of any of our hosted domains forwards the request to https://securemail.chicagonettech.com

This handles all of the web access.

For the client (Outlook, Thunderbird, SmartPhone, Tablet, laptop, etc) access, all calls, POP, IMAP, and SMTP are made to securemail.chicagonettech.com - no matter what the client's domain name is.

The client the uses his or her e-mail address and password as their login information, just like they do when accessing via a web interface.

Shane Hollis Replied

2/1/2015 at 2:34 PM

I can understand how apache or iis can be set up with Virtual domains so companyone.com resolves to the same IP address as http://securemail.chicagonettech.com and a multi name SSL cert is set up but

Does that cause issues with Auto discovery when companyOne.com autodiscovers their mail server and connects only to be told it is now at securemail.chicagonettech.com
The autodiscover for mail - it must change domain names in the process giving an you were looking for CompanyOne.com but have connected to securemail.chicagonettech.com type error or warning.

Hemen Shah Replied

2/5/2015 at 10:45 PM

Hi Bruce, Thank you once again for all the hard work and keep the document updated and helping all. I wanted to know how can i forward all domains to get redirected to our ssl URL clients by default would be using mail.zzz.com i want this to be redirected to https://mail.yyy.com Thanks

David Jamell Replied

2/16/2015 at 7:46 AM

So is there an answer to the original question? What if I have clients who want their own, private IP Address and want a private TLS/SSL Certificate bound to their domain/IP?

Can I have three clients (domains), with three certificates, and three IP Addresses coexist in the same installation?

Steve Reid Replied

2/17/2015 at 8:29 AM

Smartermail can handle that no problem.

Jason Sherrill Replied

3/18/2015 at 11:37 AM

In 13.2, I'm curious how this could be setup? Suppose you have two domains:

1) mail.domain2.com bound to 10.1.1.2

2) mail.domain3.com bound to 10.1.1.3

While each domain can be bound to an IP within SmarterMail, when in Security > Bindings > Ports, there is no setting to bind port 465 independently to each IP so therefore only one SSL certificate can be bound to the SMTP port listening on 465. The only way I can see this working is if you assign a different alternate port for each protocol to which an SSL cert will be bound for the second domain.

Am I overlooking something?

Thanks!

Jason

Scarab Replied

3/18/2015 at 4:58 PM

The only way to avoid using alternate ports (which would be problematic for customer-side firewalls) would be to use a Multi-Domain Certificate, which is how MS Exchange handles doing such. You would have one certificate that has each individual domain listed in Subject/Issued To field. So the certificate would be registered with 3 names: mail.domain1.com (your Mail Server's domain) mail.domain2.com (customer's domain) mail.domain3.com (customer's domain) No matter which of these domain is used the Certificate is considered valid. Multi-Domain Certificates are limited to a maximum of 100 domains per certificate and are generally much more expensive for a handful of domains than Single Domain Certificates.

Bruce Barnes Replied

3/19/2015 at 12:42 AM

The ports are bound, independently, to the IP addresses.

The IP addresses are then mapped to the host names.

So long as the OP has enough IP addresses, and his clients are willing to spend the money on the cost of the certificates, this is not a problem and can be handled by SmarterMail, using the standard IP addresses. There's no reason to do custom port number mappings.

Back to Community Threads

Please leave this box unchecked

10 Replies

Reply to Thread

Tags

Related Knowledge Base Articles