3
Not able to bind multiple SSL on Single IP Address
Problem reported by Pedro Javier - 7/25/2020 at 10:20 AM
Known
Hello Team,

I do have two domains like as below:

webmail.abc.com
webmail.xyz.com

Both are using the same IP address. 

I have bound the SSL on webmail.abc.com and webmail.xyz.com and when I browse the URLs, it shows me the correct certificates are attached with these two domains. Now, the question is when I add the bindings for port 464 and 587 with the PFX file of webmail.abc.com & webmail.xyz.com. It is working fine for webmail.abc.com but not working for webmail.xyz.com (It shows the certificate mismatch error with the certificate of webmail.abc.com). 

Is there any setting needs to perform to use the same IP Address for different domains to use SSL or I need to purchase new IP Address to fix this issue.

Please guide further.

Regards,
Pratik
Pratik Jajal
Younited Host - The best Web Hosting Provider
Email: pedro@younitedhost.com

12 Replies

Reply to Thread
0
Sébastien Riccio Replied
Hello, as far as I know SmarterMail doesn't support SNI (server name indication) that is needed to use multiple certificates on a single IP address/port.

It works for the webmail because IIS does support SNI.

Without SmarterTools adding SNI capability to their services implementation you have a couple of other options:

1) Give to your customers a single hostname for their mail client configuration, not tied to their own domains.. For example mail.yourcompany.com, and use a certificate for this hostname server side.

2) Dedicate an IP address for each customers and bind the ports on this ip address with the corresponding certificate (w.x.y.10 for mail.abc.com - w.x.y.11 for mail.xyz.com), but of course this will eat a lot of IP addresses if you want to do this for a lot of customers.

3) Use a POP/IMAP/SMTP proxy that is SNI capable in front of your SmarterMail.
    For example haproxy:
    Or dovecot in proxy mode, or any other proxy utility that supports SNI and POP/IMAP/SMTP protocols.

The easiest would be of course SNI support built-in SmarterMail...

Kind regards

Sébastien Riccio System & Network Admin https://swisscenter.com
0
Douglas Foster Replied
The other option is to use one certificate with multiple SANs.  It is also cheaper than 2 certificates if you are using a commercial CA.

0
Sébastien Riccio Replied
You're right Douglas.
I've forgot about this, because we never considered it due to the limitation of 100 SANs per certificate with letsencrypt and this is a problem when you handle 5k+ domains.

Also some customers wouldn't be happy to have their domain listed in the same certificate mixed with other customers domains.
We already had some customers complaining about this on another project where we used SANs.

It can also greatly helps spammers to get the list of domain names handled by the mail server. They can check the SANs list and then try to spam random mailboxes on these domains... A pain :)
Sébastien Riccio System & Network Admin https://swisscenter.com
2
Derek Curtis Replied
Employee Post
SNI is on our list of things to add in a future Build. While they can be problematic to some, the unified cert is generally what we recommend for customers until that is implemented. 
Derek Curtis COO SmarterTools Inc. www.smartertools.com
0
Douglas Foster Replied
A,wildcard certificate for *.yourcompany.com would allow you to use a unique hostname for each client.

But then you have a transition problem that I cannot solve.
1
LeapSwitch Networks Replied
I am not sure why SM still doesn't support SNI. Every other Free and Paid mail server software supports it, since months or years. Is there any ETA on this ?
1
Antony Weaver Replied
I would like to allow customer to bring their own cert instead of using UCC certs with SANs (Alternative Names).  It appears like the SNI solution in SM would be the best solution.  This is another request for it.
1
Antony Weaver Replied
We've also used this method below but it causes Outlook to throw an 'domain mismatch' error when it runs autodiscover.enduserdomain.com.   You can try to suppress the error using the regedit HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\AutoDiscover\RedirectServers but that is a pain as well.

If the server is hosting multiple domains, then set up an SRV record for each additional domain that points to the domain with the SSL cert installed.  I.E.  mail.company1.com has the SSL cert and company2.com is using the same exchange server.
Set an SRV record under company2.com
_autodiscover._tcp 0 0 443 mail.company1.com 
 
Make sure the main domain has an A record
mail.company1.com x.x.x.x (where x.x.x.x is IP address of Exchange server
6
Employee Replied
Employee Post
Hello all,
 
I want to provide an update on the SNI feature request for SmarterMail. We have been in the process of implementing SNI in SmarterMail, along with dynamic certifications from SSL providers like Let's Encrypt or ZeroSSL. However, we ran into a limitation with the .NET Standard Framework that will not allow us to integrate at this time. To fully implement SNI support, it will require a transition to .NET Core.

 .NET Core is on our roadmap and will also enable Linux integration for SmarterMail. Now that we've found that SNI requires it, it will urge us to move this up transition even more.
 
So, we are now reconsidering our plan for the remainder of the year and will share more information shortly. (The joys of constantly changing technologies!)

Thank you,
1
Antony Weaver Replied
Thanks for the update.  We are still very interested in the SNI solution and will sit patiently (or not so patiently) by.
0
Antony Weaver Replied
What is the timetable  of the .NET core roadmap and support for the SNI solution?
0
Employee Replied
Employee Post
Hi Antony, 

At this time, I don't have an update on where we're at with SNI implementation. But I know it requires NET.core which is currently in active development.

Reply to Thread