Let's Encrypt - Every Domain
Question asked by John Marx - May 22 at 3:29 PM
Answered
We are on v16. We use Let's Encrypt for our first domain mail.xyzDomain.com. We ahve over 70 domains total. It is bad to send everyone to the mail.xyzDomain.com as they all want their own unique page to be secure. How can we get all domains to automatically get a Let's Encrypt certificate so that they all can go to their own mail.____.___ address?

2 Replies

Reply to Thread
2
Scarab Replied
Marked As Answer
John,
 
 
Basically, you would need to set a binding in IIS for every domain. The easiest method, if they are all using the same IP Address, is to set each domain as *ALL UNASSIGNED*. Do *NOT* assign them to a specific IP Address otherwise your Lets Encrypt renewals won't complete as they will error when attempting to bind to specific IP Addresses.
 
If you use Windows ACME Simple (WACS) formerly LetsEncrypt-Win-Simple (LEWS) then the very first time you run it, since LetsEncrypt does not currently support Wildcard certificates, you would want to request a SAN Certificate (called a UCC in the Smartermail documentation).You would repeat this task every time you add a new domain to Smartermail. WACS will automatically schedule renewals using Task Scheduler.
 
IMPORTANT NOTE: Lets Encrypt limits SAN Certificates to 100 domains. If you need more than 100 domains then you would have to request multiple SAN Certificates (and possibly set multiple Port Bindings in Smartermail for each SAN Certificate if you need this to work with POP3, IMAP, SMTP, etc, and not just webmail, as explained below).
 
Now this works for webmail. However, if you want TLS to also work for POP3, IMAP, SMTP, etc for each individual domain then the certificate needs to be converted (and re-converted every time you add a new domain). You could do it manually as per the Smartertools instructions linked above, or you can script it with PowerShell as follows:
 
Get-ChildItem -Path 'Cert:\localmachine\My' |
Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -imatch "smartermail.domain.tld"} |
Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', 'Password',$_.Thumbprint,"c:\certs\smartermail.domain.tld.pfx")}
 
Just change the domain (to usually the first one listed in your SAN Certificate as the SUBJECT rather than Subject Alternate Name), the password, and certificate path accordingly to match what you have configured in Smartermail under SETTINGS > BINDINGS > PORTS for all of your ports. The easiest thing to do is create a .bat file that calls this PowerShell script and add the .bat file to Task Scheduler to run daily (right after the LetsEncrypt Renewal task runs) so you can set it and forget it (or you can just run it manually when adding a new domain to your SAN Certificate).
 
That's it really. It would be nice if Smartermail had this functionality baked in but as it primarily relies on bindings in IIS that may be something that simply cannot be done by an application running under IIS.
0
Andrea Rogers Replied
Employee Post
Thanks for your reply, Scarab!
John, feel free to also check out our blog post, Securing SmarterMail with Let's Encrypt:
https://www.smartertools.com/blog/2017/08/14-secure-smartermail-with-lets-encrypt

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

Reply to Thread