The details depend on how many other domains are on your email server.
When someone types "webmail.example.com", these events occur:
1) The name is converted to an IP address, so "webmail.example.com" has to exist in DNS as either an IP4 "A" record, an IP6 "AAAA" record, or a CNAME entry which can be resolved to an IP4 or IP6 address.
2) The browser than connects to the target IP address, and passes the name "webmail.example.com" as part of the connection request.
3) The web server (IIS) uses the host name to decide whether to allow the connection. In IIS, you specify the individual names that it accepts on a specific target address and port, or a default site that accepts all names for a particular target address and port.
4) Assuming that you are using HTTPS to get an encrypted session, the server responds with a certificate chain to prove its identity. The chain should include the server identity certificate and any intermediate certificates. The root certificate should not be part of the chain.
5) Your web browser verifies the legitimacy of the certificate chain. The chain needs to verify back to a root certificate which is already on your client device. Your device believes the names on the server certificate are true because chain verification proves that the certificate was issued by a root authority which you trust, as evidenced by the fact that you installed its root certificate on your device. The verification process involves digital signatures. Additionally, certificates expire regularly and certificates which are not valid for today's date are also untrusted.
6) Next, your web browser checks to see if the certificate includes the name that you used, The certificate has a name list. The certificate name list must include either "webmail.example.com or "*.example.com". This proves to your device that you really connected to the intended server, and that your traffic was not highjacked in transit and redirected to a malicious site. Note that wildcard names only cover a single level: *.example.com matches "webmail.example.com" but it will not match "www.webmail.example.com" When using commercial certificates, you pay extra for a wildcard certificate, but it can be used on lots of servers. You also pay extra for each additional name included on a commercial certificate.
SmarterMail only supports one server certificate for the entire site, so that certificate must contain individual names or wildcard names for all of the domains on the SmarterMail server. Additionally, those names must be configured into IIS so that it accepts all of the names. Finally, all of those names must be configured into DNS so that the name resolves to an IP address.