Not able to bind multiple SSL on Single IP Address
Problem reported by Pedro Javier - 7/25/2020 at 10:20 AM
Submitted
Hello Team,

I do have two domains like as below:

webmail.abc.com
webmail.xyz.com

Both are using the same IP address. 

I have bound the SSL on webmail.abc.com and webmail.xyz.com and when I browse the URLs, it shows me the correct certificates are attached with these two domains. Now, the question is when I add the bindings for port 464 and 587 with the PFX file of webmail.abc.com & webmail.xyz.com. It is working fine for webmail.abc.com but not working for webmail.xyz.com (It shows the certificate mismatch error with the certificate of webmail.abc.com). 

Is there any setting needs to perform to use the same IP Address for different domains to use SSL or I need to purchase new IP Address to fix this issue.

Please guide further.

Regards,
Pratik
Pratik Jajal
Younited Host - The best Web Hosting Provider
Email: pedro@younitedhost.com

6 Replies

Reply to Thread
0
Sébastien Riccio Replied
Hello, as far as I know SmarterMail doesn't support SNI (server name indication) that is needed to use multiple certificates on a single IP address/port.

It works for the webmail because IIS does support SNI.

Without SmarterTools adding SNI capability to their services implementation you have a couple of other options:

1) Give to your customers a single hostname for their mail client configuration, not tied to their own domains.. For example mail.yourcompany.com, and use a certificate for this hostname server side.

2) Dedicate an IP address for each customers and bind the ports on this ip address with the corresponding certificate (w.x.y.10 for mail.abc.com - w.x.y.11 for mail.xyz.com), but of course this will eat a lot of IP addresses if you want to do this for a lot of customers.

3) Use a POP/IMAP/SMTP proxy that is SNI capable in front of your SmarterMail.
    For example haproxy:
    Or dovecot in proxy mode, or any other proxy utility that supports SNI and POP/IMAP/SMTP protocols.

The easiest would be of course SNI support built-in SmarterMail...

Kind regards

Sébastien Riccio
System & Network Admin

0
Douglas Foster Replied
The other option is to use one certificate with multiple SANs.  It is also cheaper than 2 certificates if you are using a commercial CA.

0
Sébastien Riccio Replied
You're right Douglas.
I've forgot about this, because we never considered it due to the limitation of 100 SANs per certificate with letsencrypt and this is a problem when you handle 5k+ domains.

Also some customers wouldn't be happy to have their domain listed in the same certificate mixed with other customers domains.
We already had some customers complaining about this on another project where we used SANs.

It can also greatly helps spammers to get the list of domain names handled by the mail server. They can check the SANs list and then try to spam random mailboxes on these domains... A pain :)
Sébastien Riccio
System & Network Admin

1
Derek Curtis Replied
Employee Post
SNI is on our list of things to add in a future Build. While they can be problematic to some, the unified cert is generally what we recommend for customers until that is implemented. 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Douglas Foster Replied
A,wildcard certificate for *.yourcompany.com would allow you to use a unique hostname for each client.

But then you have a transition problem that I cannot solve.
1
LeapSwitch Networks Replied
I am not sure why SM still doesn't support SNI. Every other Free and Paid mail server software supports it, since months or years. Is there any ETA on this ?

Reply to Thread