Hello, in your bindings you have to set STARTTLS (or TLS, i don't remember exactly) for your port 25 smtp binding.

This should resolve this problem.

In addition to Sebastien's comments above (this is correct) you will also need to navigate to Settings>Protocols>SMTP OUT and enable the TLS option there as well. 

I wen to Bindings from the top-level list of domains page, clicked the IP number of the public IP, and checked all of these:

SMTP (25)
POP (110)
IMAP (143)
LDAP (389)
SMTP SSL (465)
SMTP (587)
IMAP SSL (993)
POP SSL (995)
XMPP Client Port (5222)

TLS is not specifically listed.

On the Protocols page, I have "Enable TLS if supported by the remote server" set to yes under SMTP Out.

I did a follow-up telnet check and noticed that I get a response on 587, but not 465. It's open in the firewall, so, I don't know what's up with that.

Ah! I didn't click on the "Ports" heading on the Bindings page. I see now that I can add TLS but I need a Certificate Path... which means I need to install the SSL/TLS Certificate on the server first. Ugh... another thing to keep track of.

Ok, I'm on the trail now.

Correct Michael. If you need a simple way to get the SSL done check out this article here: 

See... that's the weird thing. I have been using SSL in my connections to the server for a long time, with no problems, yet... I need to install one for TLS?

If you already have a certificate installed for SSL you can use the same for tls on port 25.

No you should not need a new certificate at all. Just export the one you have and add this to the port binding. PFX format is best with a strong password. 

when you use https for your site with a working certificate, then you have obtained a certificate from your ssl provider. You probably have that cert somewhere on the server in a folder.

Just enter the path to that certificate.

example from my server

And yes it's an extra administrative reminder you have to set when you renew the certificate.

@Kyle

Didn't know that pfx is supported too.
the path can be to the pfx with password. 

Is there an advantage to do it like this? Because creating a pfx is an extra step.

Loading the certificate is easy enough, but I agree that it is a nuisance.  If the KB article omits instructions for creating the PFX file, this should solve your problem, assuming that you already have a CA-issued certificate in use with IIS:

This creates the file.   Then import the file into each of the SmarterMail services that will be doing TLS.

Certificates perform two functions:   Proving identity of the server and encryption.   Encryption does not matter if you are talking securely to your attacker.    Certificate verification is the proof of identity.  Self-signed (and therefore unverifiable) certificates provide encryption but not identity verification.   They have been widely used in the past because they were free and transmission-without-eavesdropping seemed better than the alternative, transmission-with-eavesdropping.   This seems to be changing.    More endpoints are requiring verifiable certificates and are refusing non-encrypted sessions.   Lets Encrypt also has fixed the cost problem by providing verifiable certificates for free, although I still recommend the traditional CA sources for business users.

 

Quote

>Correct Michael. If you need a simple way to get the SSL done check out this article here:
>https://www.smartertools.com/blog/2017/08/14-secure-smartermail-with-lets-encrypt 

Now that Certify the web has an up to date windows app with auto renew enabled is this blog entry correct, is the powershell script required or is the app going to renew and auto update the bindings the same way it did on the first use..?

You will still need that powershell script to update your certificate that you use for Port Binding. Certify the web takes care of the IIS/WEB binding for you but that PFX file is where your port bindings get read. Definitely some room for improvement on our side. It would be cool to have the ability to select the cert (not pfx) from SM directly that way this stay could be eliminated.

I know you are busy with the beta so this is on the back burner until that becomes a stable release version.. In the section about schedule.. it mentions setup for running daily, can this and should this be extended to weekly seeing as the renewal is 90 days and the auto renew in Certify is set to 60 days.?

Would love for this to be automated, much the way LetsEncrypt is.

We've built out PS scripts that update everything. From SmarterMail, IIS, SQL Server, RDP, apache/nginx servers, FTP servers, our DNS over TLS/HTTPS etc all at once using a single Wildcard LE certificate.

https://github.com/rmbolger/Posh-ACME based on this with a whole lot of custom PS scripts to update the required servers/services.

This one works well and it will runs the scripts for you. It's very easy to add and delete sites once the certs are generated. Just add or delete a site in a saved profile and manually run the generate/renew when needed.

Otherwise it renews automatically. 

Christopher H, that is the program i was referring to and setup to create the LetsEncrypt cert'.

it also created the pfx and placed it into C:\ProgramData\Certify\certes\assets\pfx and automatically bound it to the already preset bindings SSL tests all pass and browsers all immediately display the verified lock on the address bar.
I have added the "(Get-ChildItem -Path cert:\LocalMachine\My |" script to the scripting section of the certify program which create a pfx file (name) of my choosing into the certificates folder that i created in the smartermail subfolders but it would seem that it might not be needed, once 60 days hits and the certify program automatically renews it will create a new or reuse the existing SSL and extend the date another 90 days with a 60 days renewal countdown.

So Matt...anyone else? did i misunderstand how the new certify version works?

Yep sounds like you got it going. You do need the powershell script because Certify updates the certs that IIS uses but it does not automatically generate PFX's that SmarterMail uses for POP/IMAP/SMTP/etc. You still need something to make a new PFX after the cert gets renewed in 60 days, in the same location and name as the old one. That way SmarterMail just automatically starts using the "new" pfx.

I would put a reminder to check the cert in 61 days to verify that the automated process swapped out the PFX files with a new one and to check your website cert and verify that it has a new expiration.