Enable TLS 1.2 on Smartermail Build 6964 (jan 25, 2019)
Question asked by Knud Westdorf - April 16 at 11:16 PM
Answered
Hello

We have alot of customers asking for TLS 1.2 security. The customers cant recieve mails from example the banks, post office and so on, because TLS 1.2 is needed. 

Just a service that needs to be enabled, or any certs or what is required? 

Best regards

12 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post Marked As Answer
I recommend downloading IIS Crypto from Nartac Software onto your SmarterMail server, and use the checkboxes in their GUI interface to enable the protocol versions you need. Then make sure SmarterMail is configured to use the protocol versions set up in Windows. After that you should be good to go! 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Knud Westdorf Replied
Thanks alot. Is any certificates needed, or?
0
Knud Westdorf Replied
Do you know what is needed here? Today we are using POP3/IMAP and SMTP as normal.
1
Dennis A. Replied
Your config looks good already. You just need to make sure that under "Server Protocols", TLS 1.2 is enabled. 

Then in SmarterMail, go to Admin > Settings > Protocols and make sure the options marked in yellow are enabled:


Then it should work, assuming that you already had certificates installed for your SMTP ports (25/587/465).
0
Knud Westdorf Replied
I havent created/installed any certificates for SMTP. Currently, we are running 25,465,587 as normal without encryption.
0
Ionel Aurelian Rau Replied
Hi Knud,

SSL/TLS does not work without a SSL certificate (and you need a publicly trusted certificate, not a self-signed one). So before you can do anything in this respect, you will need to purchase the SSL certificate for your server. Or you can try with Let`s Encrypt - but I do not know if they are trusted by all major players on the Internet.
0
Knud Westdorf Replied
Thanks..

But, what if our customers is using SMTP server in Outlook example: mail.domain.com and mail.domain1.com ? How to solve that? Need to buy certificates for all domains, or?
0
John Marx Replied
If you look at the logs for Lets Encrypt there is a powerShell way of doing it for all. We haven't gone that route. Instead we have one TLS/SSL certificate on our primary domain. That is what we give out to everyone to use. They are welcome to use their mail.whatever.com but we don't do SSL on that one. We only do it on the one. 
0
Knud Westdorf Replied
Arh okay. Thanks.

The only thing i want TLS 1.2 on, is when example the bank is sending an email to one of our customers, it cant be deleveried because we dont support TLS 1.2 incoming..
0
Jade D Replied
"But, what if our customers is using SMTP server in Outlook example: mail.domain.com and mail.domain1.com ? How to solve that? Need to buy certificates for all domains, or? "

If purchasing a certificate you would purchase a UCC cert, multi domain cert or a certificate that provides sans.
This could get quite costly.
Lets encrypt does allow limited SANS, so this could work provided that your domain count doesnt exceed the limit.

Alternatively, setup SSL / TLS on your primary host name and tell your clients to move over to that fqdn for their incoming and outgoing mail application settings.

My last suggestion is the best suggestion for environments that host more than 100 mail domains.
0
Knud Westdorf Replied
Thanks. Then i have another question, for the banking, which is sending mails to our customers. 

They say, the mails cant be dileveried, because our server doesnt support TLS 1.2 (incomming from outside).
1
Dennis A. Replied
Incoming emails will be delivered on port 25, so you'll just need to make sure that you have an SSL-certificate installed on that port in order for TLS 1.2 to work.

You mentioned that your customers use different SMTP servers in their clients (e.g. mail.domain.com, mail.domain1.com, etc.). For MX-records on your customers' domains, if you're not doing so yet, I highly recommend using a single MX-domain for all your customers, like someone else suggested in your topic from 2017. That makes security and maintanance a lot easier, as you just have to manage 1 certificate for all customers. It would also enable all your customers at once to receive emails with TLS 1.2, making your email traffic a lot more secure.

Would look like this:


Reply to Thread