Supporting TLS on my SmarterMail 17 (7125)
Question asked by Michael Muller - 10/23/2019 at 7:41 AM
Unanswered
I am working with a client's consultant helping him help them get their emails set up on new machines in a new building.

He tells me that he "checked MX record for "mail.montaguewebworks.com" and no TLS."

At first I thought he meant I wasn't indicating support for TLS in my DNS, but then I realized he must be running a test connection to my mail server to see if it broadcasts support for TLS.

Found this on LuxSci.com: "Mail servers do this by starting an SMTP connection with a server found in the MX records of the recipient’s domain and then issuing a command called “elho”. Once the “elho” command is given to the recipient’s server it will send back the list of the options that it supports. If you see “STARTTLS” in the list of options supported, then the server does support TLS."

So I went to MXtoolbox.com and did the SMTP test, albeit on port 25:

220 mail.MontagueWebWorks.com [609 ms]
EHLO keeper-us-east-1b.mxtoolbox.com
250-mail.MontagueWebWorks.com Hello [xxx.ip.num.xxx]
250-SIZE 31457280
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250-DSN
250 OK [642 ms]

I don't see STARTTLS in there. Could it be because I was testing on 25?

Found this on a MailGun.com blog page:

> telnet smtp.mailgun.org 587
220 ak47 ESMTP ready
> ehlo blog.mailgun.com
250-ak47
250-AUTH PLAIN LOGIN
250-SIZE 52428800
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SMTPUTF8
250 STARTTLS

So, I connected to my mail server via telnet and got this...

> telnet smtp.mailgun.org 587
220 mail.MontagueWebWorks.com
> ehlo mail.webworksserver.com
250-mail.MontagueWebWorks.com Hello [xxx.ip.num.xxx]
250-SIZE 31457280
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250-DSN
250 OK

No STARTTLS. 

What am I doing wrong?

Thanks,
Mik
---
Montague WebWorks
Powered by RocketFusion

19 Replies

Reply to Thread
0
Sébastien Riccio Replied
Hello, in your bindings you have to set STARTTLS (or TLS, i don't remember exactly) for your port 25 smtp binding.

This should resolve this problem.
Sébastien Riccio
System & Network Admin

0
Kyle Kerst Replied
Employee Post
In addition to Sebastien's comments above (this is correct) you will also need to navigate to Settings>Protocols>SMTP OUT and enable the TLS option there as well. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Muller Replied
I wen to Bindings from the top-level list of domains page, clicked the IP number of the public IP, and checked all of these:

SMTP (25)
POP (110)
IMAP (143)
LDAP (389)
SMTP SSL (465)
SMTP (587)
IMAP SSL (993)
POP SSL (995)
XMPP Client Port (5222)

TLS is not specifically listed.

On the Protocols page, I have "Enable TLS if supported by the remote server" set to yes under SMTP Out.

I did a follow-up telnet check and noticed that I get a response on 587, but not 465. It's open in the firewall, so, I don't know what's up with that.
---
Montague WebWorks
Powered by RocketFusion
0
Michael Muller Replied
Ah! I didn't click on the "Ports" heading on the Bindings page. I see now that I can add TLS but I need a Certificate Path... which means I need to install the SSL/TLS Certificate on the server first. Ugh... another thing to keep track of.

Ok, I'm on the trail now.
---
Montague WebWorks
Powered by RocketFusion
0
Kyle Kerst Replied
Employee Post
Correct Michael. If you need a simple way to get the SSL done check out this article here: 


Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Muller Replied
See... that's the weird thing. I have been using SSL in my connections to the server for a long time, with no problems, yet... I need to install one for TLS?
---
Montague WebWorks
Powered by RocketFusion
0
Sébastien Riccio Replied
If you already have a certificate installed for SSL you can use the same for tls on port 25.

Sébastien Riccio
System & Network Admin

0
Kyle Kerst Replied
Employee Post
No you should not need a new certificate at all. Just export the one you have and add this to the port binding. PFX format is best with a strong password. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Richard Frank Replied
when you use https for your site with a working certificate, then you have obtained a certificate from your ssl provider. You probably have that cert somewhere on the server in a folder.
Just enter the path to that certificate.
example from my server

And yes it's an extra administrative reminder you have to set when you renew the certificate.

0
Richard Frank Replied
@Kyle
Didn't know that pfx is supported too.
the path can be to the pfx with password. 
Is there an advantage to do it like this? Because creating a pfx is an extra step.
0
Douglas Foster Replied
Loading the certificate is easy enough, but I agree that it is a nuisance.  If the KB article omits instructions for creating the PFX file, this should solve your problem, assuming that you already have a CA-issued certificate in use with IIS:

  • Start MMC
  • Add--Remove Snap-in.
  • Click Certificates and push it to the right side to select it.
  • When prompted specify that you want to work with Computer Account and Local Computer.
  • Once the tree structure appears, drill-down to Certificates... Personal... Certificates
  • Right click on the active certificate and choose All Tasks... Export
  • Yes to export the private key
  • File format pkcs#12 (.pfx) will be selected automatically.   (Files with private keys always require a file-level password.)
  • Check the options to "include all certificates" in the path and "export all extended properties".  Obviously, do not use the option to delete after export, as that would break IIS; ability to use TLS.
  • Then choose your file name, file name, and file password.
This creates the file.   Then import the file into each of the SmarterMail services that will be doing TLS.

Certificates perform two functions:   Proving identity of the server and encryption.   Encryption does not matter if you are talking securely to your attacker.    Certificate verification is the proof of identity.  Self-signed (and therefore unverifiable) certificates provide encryption but not identity verification.   They have been widely used in the past because they were free and transmission-without-eavesdropping seemed better than the alternative, transmission-with-eavesdropping.   This seems to be changing.    More endpoints are requiring verifiable certificates and are refusing non-encrypted sessions.   Lets Encrypt also has fixed the cost problem by providing verifiable certificates for free, although I still recommend the traditional CA sources for business users.

 
0
Karl Jones Replied
Quote
>Correct Michael. If you need a simple way to get the SSL done check out this article here:
>https://www.smartertools.com/blog/2017/08/14-secure-smartermail-with-lets-encrypt 

Now that Certify the web has an up to date windows app with auto renew enabled is this blog entry correct, is the powershell script required or is the app going to renew and auto update the bindings the same way it did on the first use..?
0
Matt Petty Replied
Employee Post
You will still need that powershell script to update your certificate that you use for Port Binding. Certify the web takes care of the IIS/WEB binding for you but that PFX file is where your port bindings get read. Definitely some room for improvement on our side. It would be cool to have the ability to select the cert (not pfx) from SM directly that way this stay could be eliminated.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Karl Jones Replied
I know you are busy with the beta so this is on the back burner until that becomes a stable release version.. In the section about schedule.. it mentions setup for running daily, can this and should this be extended to weekly seeing as the renewal is 90 days and the auto renew in Certify is set to 60 days.?
0
Michael Muller Replied
Would love for this to be automated, much the way LetsEncrypt is.
---
Montague WebWorks
Powered by RocketFusion
0
echoDreamz Replied
We've built out PS scripts that update everything. From SmarterMail, IIS, SQL Server, RDP, apache/nginx servers, FTP servers, our DNS over TLS/HTTPS etc all at once using a single Wildcard LE certificate.

https://github.com/rmbolger/Posh-ACME based on this with a whole lot of custom PS scripts to update the required servers/services.
1
Christopher Hiatt Replied
This one works well and it will runs the scripts for you. It's very easy to add and delete sites once the certs are generated. Just add or delete a site in a saved profile and manually run the generate/renew when needed.

Otherwise it renews automatically. 

0
Karl Jones Replied
Christopher H, that is the program i was referring to and setup to create the LetsEncrypt cert'.

it also created the pfx and placed it into C:\ProgramData\Certify\certes\assets\pfx and automatically bound it to the already preset bindings SSL tests all pass and browsers all immediately display the verified lock on the address bar.
I have added the "(Get-ChildItem -Path cert:\LocalMachine\My |" script to the scripting section of the certify program which create a pfx file (name) of my choosing into the certificates folder that i created in the smartermail subfolders but it would seem that it might not be needed, once 60 days hits and the certify program automatically renews it will create a new or reuse the existing SSL and extend the date another 90 days with a 60 days renewal countdown.

So Matt...anyone else? did i misunderstand how the new certify version works?
1
Matt Petty Replied
Employee Post
Yep sounds like you got it going. You do need the powershell script because Certify updates the certs that IIS uses but it does not automatically generate PFX's that SmarterMail uses for POP/IMAP/SMTP/etc. You still need something to make a new PFX after the cert gets renewed in 60 days, in the same location and name as the old one. That way SmarterMail just automatically starts using the "new" pfx.

I would put a reminder to check the cert in 61 days to verify that the automated process swapped out the PFX files with a new one and to check your website cert and verify that it has a new expiration.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread