SSL SNI
Idea shared by Sérgio Rocha - October 21, 2016 at 3:44 PM
Under Consideration
HI Everyone,
 
I Know that now its not a best time to ask this kind of changes, ST is preparing the lunch of version 16, but i would like to see in roadmap.
 
This week i was working with Exim from cpanel and saw that they can do SNI in email services (POP/IMAP/SMTP), witch is very good to host different SSL/hosts communications in the same IP.
 
I like to propose to everyone to push this idea so we can have more clients using SSL with the need to bind a dedicates IP. (Witch dont work very well because the autodiscovery configuration).
 
We need this kind of enterprise solution for bigger clients and to promote the SSL use. We have lots of stolen password because users dont use SSL, and the bigger clients want a vanity configuration.
 
Regards,
 
SR

19 Replies

Reply to Thread
0
I would agree as well along with https redirects for ALL web mail. We've asked for this for along time. I'd rather see this implemented than year over year 'new' versions being released.
1
Sergio,
 
I'll be glad to submit this as a feature request, I agree this would be a huge improvement to our existing SSL\TLS implementation. 
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Thanks Von-Austin See Shouldn't be simple but will be very nice to have and I'm very happy that ST consider the request.
7
What about using Let's Encrypt (https://letsencrypt.org/)? Seems like everyone is starting to use that now.
0
Kevin, these certificates should be supported. We don't have anything built directly into SmarterMail to handle the certificates and the enrollment for you, but you can leverage one of their many Windows clients to handle this for you.

You would just need to pay attention to when the certificates expire, and export new PFX files containing the private key, and password protected and point SmarterMails ports to these to avoid any cert errors.

ACMESharp seems to be pretty straight forward and uses PowerShell modules so this can be performed remotely as well. Here's their quickstart guide that walks you through their process, and also details how to export as PFX in the end of the article.

https://github.com/ebekker/ACMESharp/wiki/Quick-Start

I hope this helps.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Von, thanks for the instructions! I guess my request would be that ST bake some of this functionality into SM like you do with SpamAssassin, etc. This would relieve the admin from the technical details and renewing the certificate every 90 days.
0
I agree Kevin, this would be very slick to have within SmarterMail to handle certificate enrollment as well as automatic renewals. I've submitted this as a feature request.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Nice! Thank you.
0
Please note (for a small amount of people using Android pre 4.2) that SNI is not understood on those devices.
0
Agreed here as well. We sell several products today that not only allow for a automatic SSL request from lets encrypt but also automatically renew the cert at the 4 month mark so no admin burden is added. Considering where security is today this I would state is an expected feature from Enterprise level software such as SM.
0
Hey Smartermail, where is your dev team on this ? We need to stop burning IPV4 addresses....
0
We've switch 90% of our certs over to Let's Encrypt. Smartermail and our spam filter aren't ready yet. The https cert in IIS is easy to do. The SMTP, IMAP, and POP SSL ports don't seem to pick up the renewal automatically.
0
Todd, you'll need to automate exporting of the renewed LetsEncrypt SSL certificate to a PFX file that's password protected and contains the private key. You'll need to do this since SmarterMail does not tap into the certificate store directly but instead references direct PFX and .CER files assigned to your ports.

As long as your exporting to the same certificate location that's tied to your SmarterMail port bindings, you should be good to go until SmarterTools implements support for the Let's Encrypt platform.

I recommend PowerShell to perform these actions since it does contain an Export-pfxCertificate cmdlet. More information on this command can be found here: https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/export-pfxcertificate
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Hey Smartermail dev team - Is SNI supported now that https URL redirection is possible on SM16? (hint: we've had SNI support on the Microsoft platform for a several years now...)
1
Let's keep the ball rolling, with the bellow PS, I can export the .pfx file with password to some folder where SM can grab it:
 
$CertPassword = '123456789'
$CertDNSName = '<domain name>'
 
$SecurePassword = ConvertTo-SecureString -String $CertPassword `
                                         -AsPlainText `
                                         -Force
 
$CertFileFullPath = $(Join-Path (Split-Path -Parent 'D:\_Server\Cert\') "$CertDNSName.pfx")
 
$NewCert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My `
                                     -DnsName $CertDNSName
 
Export-PfxCertificate -FilePath $CertFileFullPath `
                      -Password $SecurePassword `
                      -Cert $NewCert
0
I have this working for me... I do not know if my scheduled task will handle an update after the first one expires, but time will tell. I can always run it manually every few months.

Note:
SmarterMail picks up new certificates very quickly when the old one is overwritten.

Note:
$ExistingCerts[0] is an expression that selects the first found match. If you have more than one match you may accidentally have the wrong certificate, or it may put the newer one at the top (that would be awesome).

Note: Get-ChildItem is what gets a list of certificaes that match the criteria, in this case : date of expiration is greater than 0 but less than 101 and has a dns name of your specified DNS Name and lastly is stored in your local machine personal certificate list

$CertPassword = 'the-best-password-ever'
$CertDNSName = 'mail.the-best-domain-name-ever.com'

$SecurePassword = ConvertTo-SecureString -String $CertPassword `
-AsPlainText `
-Force

$CertFileFullPath = "C:\SmarterMail\Certificates\$CertDNSName.pfx"

$ExistingCerts = Get-ChildItem -DnsName $CertDNSName -ExpiringInDays 100 -Path Cert:\localMachine\my\

Export-PfxCertificate -FilePath $CertFileFullPath `
-Password $SecurePassword `
-Cert $ExistingCerts[0]
2
bump
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
1
Not sure about a BUMP (but agree). Just read the following article from Smarter Toolls
 
 
What I want to know is can we get Let's Encrypt when a domain is created that we create a Let's Encrypt so that every clients login is secured? This should be 100% seamless option. Can this be done?
0
John, we have tossed around the idea of implementing Let'sEncrypt directly into SmarterMail for seamless certificate requests and renewals. It's definitely on our radar but hasn't been scheduled for development at this time.

Reply to Thread