2
But where are the certificates?
Question asked by Roger - 12/1/2023 at 1:15 AM
Answered
Hello everyone

As a domain administrator, I see the SSL Certificates tab under the settings where I have also prepared everything for Let's Encrypt. But where do I activate this for the individual domains?

I can't find anything in the domain settings and there is also nothing in the Settings - SSL certificates - Automatic certificates tab that can be selected, generated or otherwise handled in any way


And now on to the bindings. As I understand the SM team, the point is to be able to use the certificate for SMTP/S, IMAP4/S etc.

As an admin under Settings - Bindings - Ports for SMTP, for example, I would like to set up SMTP/S, but here too it requires the path to the certificate and a password... Sorry but I really don't understand it...


Greetings

12 Replies

Reply to Thread
0
Roger Replied
are there no informations?
0
I dont get it either....
0
Grady Werner Replied
Employee Post
SSL Certificates have undergone a few changes between the different versions of the BETA, and I can understand the confusion. Documentation is currently being worked on for this process, but I can give you some clarifications.

SNI is used to determine what certificate should be used for each connection. As a result, there is no longer any need for domains to set up their own certificates or Let's Encrypt integration. Instead, the system administrator uploads whatever certs they already have to the certificates folder (by default c:\smartermail\certificates). 

Let's Encrypt will generate certificates to that folder as well, using the same format that IIS Centralized Certificate Store uses. As a result, it should be significantly easier to make your IIS use the same set of certificates.

If you have your own cert generation app (certbot, certifytheweb, etc), you can configure it to export to that folder as well and SmarterMail should immediately pickup the new certs as long as you use a consistent (or no) password on them.

If you enable Let's Encrypt in the options tab, it will automatically attempt to create certificates for all domains and domain aliases, also trying to prefix them with the Prefix Hostnames entries from the options tab. Any of the names that represent this same SmarterMail instance when accessed through HTTP will be added to the Let's Encrypt queue.

If you're not seeing that populate, it's likely that certifytheweb or another client manager is installed. Some of them intercept all validation requests to the entire server and will not allow SmarterMail to do the domain validation. If you use one of those, you need to either move to SmarterMail Generated certs completely and uninstall certifytheweb, or tell certifytheweb to export copies of the PFX files to the c:\smartermail\certificates folder 

Now to port bindings. Because some clients do not support SNI, we need to have a fallback certificate for any secure connection. So you will still need to hook a certificate as a fallback certificate to each SSL/TLS binding the same way you have in the past. Until that's setup, the system cannot listen for TLS connections.

You can use a certificate under your c:\smartermail\certificates folder as your fallback certificate in port bindings if you wish, by the way.

We had toyed with just adding a "Make Default" option in the certificates list, but some customers have unusual setups where different IPs need different fallback certificates. 
Grady Werner
SmarterTools Inc.
www.smartertools.com
0
echoDreamz Replied
Grady, so SM does not apply the certificates to IIS?
1
Grady Werner Replied
Employee Post
It does not automatically, because we have to consider that IIS will not be the only target for the web side in the future. Instead, we recommend you configure Centralized Certificate Store in IIS to the C:\smartermail\certificates folder and change your SmarterMail mappings to integrate with it that way.
Grady Werner
SmarterTools Inc.
www.smartertools.com
0
Zach Sylvester Replied
Employee Post

Hello EchoDreamz,

Thank you for your query regarding the SSL certificate setup. I understand that navigating through these configurations can be a bit complex, so let me clarify things for you.

In our system, the SSL certificates aren't automatically linked to the IIS bindings in the traditional sense. Instead, we utilize the certificate store for a more streamlined approach. Here’s how it works:

  1. Creating IIS Bindings: When you set up an IIS binding for a specific domain, such as https://mail.example.com, you won’t be selecting a certificate directly from the list as you might be accustomed to. Instead, you'll choose the option to 'use certificate store'.

  2. How It Helps: This approach allows IIS to intelligently fetch the appropriate PFX file required for the SSL/TLS encryption of that particular domain. It simplifies the process by reducing manual selection errors and ensuring that the correct certificate is always applied.

  3. Future Resources: To assist you further, we are currently working on a comprehensive Knowledge Base (KB) article. This upcoming resource will include detailed steps, along with helpful visuals, to guide you through the entire process of setting up and managing SSL certificates. 

In the meantime, if you have any specific questions or encounter any challenges, please don't hesitate to reach out. 

Best Regards, 

Zach Sylvester

System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Tim Uzzanti Replied
Employee Post Marked As Answer
This is the recommended approach for IIS and how it will be handled on Linux as well.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
echoDreamz Replied
Would it be possible to add some extra logging that indicates what PFX file or certificate was used for a connection?
0
Grady Werner Replied
Employee Post
Extra logging there is a good idea and fairly simple (at least for the port-based protocols like IMAP and SMTP, not so much the ones that IIS manages like EWS, etc). 

We'll get that into the normal level of logging for those non-IIS ones.
Grady Werner
SmarterTools Inc.
www.smartertools.com
1
Kyle Kerst Replied
Employee Post
Just wanted to confirm that logging is now present and functional now:

[2023.12.05] 12:43:09.052 [xx.xx.xx.xx][6929940] SNI using certificate mail.example.com.pfx for mail.example.com.
You'll see these in each protocol (non-IIS) as Grady pointed out above in the next build. Please let us know if you have any suggestions or feedback on this. Also, I wanted to note that I should have some detailed SSL setup documentation for new and existing environments ready for you guys in the next week or so with any luck!
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
echoDreamz Replied
So far, it is working brilliantly... Tested using the latest Tbird and Outlook, SNI worked like a charm, loaded the correct cert for SMTP and IMAP without issues.
1
Kyle Kerst Replied
Employee Post
That is awesome and exactly what we were hoping for! 
Kyle Kerst
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread