I have the same concern.

Not sure how to integrate Certifytheweb with the new SNI.

Have not looked at it yet.

SNI works regardless of whether your certificates are generated by SmarterMail or by CertifyTheWeb. As long as there is a PFX in your certificates directory (defined in Settings>SSL Certificates) that matches the hostname being requested by the user/client it will serve that PFX file, otherwise we fall back to the PFX defined in Settings>Bindings>Ports. With that being said, you won't be able to use both Certify and our certificate generation because CertifyTheWeb hijacks incoming .well-known requests preventing us from validating hostnames for you.

I have the same problem/doubt as Sabatino...

My SmarterMail v.8664 server has the Let'sEncrypt certificate (made with CerifyTheWeb) linked to its FQDN (myservername.mydomain.com) and all users connect to this FQDN (also the AUTODISCOVER records of the various customer domains point to myservername.mydomain.com).

None of my clients' domains have their own custom FQDN (none of them have an FQDN like "MAIL.CUSTOMERDOMAIN.COM").

So everything works great without any problems.

Now in the transition to the new version I seem to have understood that SNI management automates the management of certificates for each individual customer domain, BUT NOT for the FQDN of the server itself.

Did I get it right?

If so, how can I activate SNI management while also maintaining the server FQDN certificate at the same time as those of the individual customer domains without there being any problems?

I ask this because if after the upgrade the "myserver.mydomain.com" certificate was no longer valid/renewable and I was forced to use the various "mail.customerdomain.com" FQDNs customized for each customer, this would involve an enormous amount of reconfigurations, both on the DNS side (to modify the references of the various "autodiscover"), but above all on the client side, because every single user should reconfigure his MS Outlook (or any other client software he is using...)

We use bindings in IIS and seperate certificates for each customer.

In our Smartermail setup only one pfx is used (our own certificates).
So if we change something then only one place has to be changed and everything will follow.

Hi @Gabriele

Today I will install a test VM and test the configuration described. Let's see if it works as I expect

Here I am.

I created a test vm trying to set it as similar as possible to my main server in production with SM version 8464

The test server is mailmessage.it

with the classic method I created, via certifytheweb, certificate for

DNS Name=imap.mailmessage.it

DNS Name=mailx.mailmessage.it

DNS Name=pop.mailmessage.it

DNS Name=smtp.mailmessage.it

DNS Name=smtp1.mailmessage.it

DNS Name=webmail.mailmessage.it

I created a couple of additional domains and created some email boxes by doing a restore (attach user) with the data of large boxes and/or particular characteristics.

Created the various bindings.

Everything working.

I have pre-installed ARR, net 8 and URL Rewrite Module 2

Uninstalled 8664 and installed 8776

Everything seems to have gone well.

A few tests and it seems there are no problems.

Next step, SSL autogeneration

And here I started to have problems.

1) uninstalled certifytheweb

2) Purchased a *.mailmessage.it wildcard certificate from certum

3) Set the centralized certificates folder in iis to D:\SmarterMail\Certificates and also an SM with the same certificate pass and using the admin account for access in iis (therefore certainly accessible)

Fixed various port bindings to refer to this new certificate.

Changed iis bindings to reference centralized certificate

4) Set in automatic Certificates everything that refers to .mailmessage.it to disabled status, since I have loaded a *.mailmessage.it certificate

Various problems:

1) self-generation takes more than 8 hours and it's not clear why, when with certifytheweb it is practically immediate

2) the wildcard certificate doesn't seem to work.

the server does not seem to use identify the correct certificate

But not even iis

https://webmail.mailmessage.it doesn't work

From clients (em client) using imap.mailmessage.it it says that the certificate is incorrect

Self-generated certificates on the other hand seem to work correctly

I opened a ticket and am waiting for a response.

I attach some photos

update

Thanks to Tony Scholz who solved the problem.

To use wildcard certificates with iis the pfx file must have a name

_.domainname.tld

The follies of IIS.

I also installed the 8790 and I'll let you know how it goes.

I updated the ticket because this test often gives me errors

Not always, but often. It doesn't seem to happen to me with autogenerated ssl. I don't know if it's a real problem.

Unfortunately I have not yet received a certain response from the ticket.

I keep getting error from

and I don't understand if it's a problem with ssl-tools.net or the fact that there are problems with wildcard certificates

I see that while testing ssl-tools in the log I have the following error:

[2024.02.02] 11:15:08.396 [168.119.147.146][15015143] rsp: 220 smtp.mailmessage.it

[2024.02.02] 11:15:08.397 [168.119.147.146][15015143] connected at 02/02/2024 11:15:08

[2024.02.02] 11:15:08.398 [168.119.147.146][15015143] Country code: DE

[2024.02.02] 11:15:08.413 [168.119.147.146][15015143] cmd: EHLO ssl-tools.net

[2024.02.02] 11:15:08.416 [168.119.147.146][15015143] rsp: 250-smtp.mailmessage.it Hello [168.119.147.146]250-SIZE 699050666250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK

[2024.02.02] 11:15:08.431 [168.119.147.146][15015143] cmd: STARTTLS

[2024.02.02] 11:15:08.432 [168.119.147.146][15015143] rsp: 220 Start TLS negotiation

[2024.02.02] 11:15:08.447 [168.119.147.146][15015143] SNI using fallback binding certificate _.mailmessage.it.pfx for mailx.mailmessage.it.

[2024.02.02] 11:15:08.465 [168.119.147.146][15015143] rsp: 554 Security failure

[2024.02.02] 11:15:08.467 [168.119.147.146][15015143] Exception negotiating TLS session: System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..

[2024.02.02]  ---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.

[2024.02.02]    at System.Net.Sockets.NetworkStream.Read(Span`1 buffer)

[2024.02.02]    --- End of inner exception stack trace ---

[2024.02.02]    at System.Net.Sockets.NetworkStream.Read(Span`1 buffer)

[2024.02.02]    at System.Net.Security.SyncReadWriteAdapter.ReadAsync(Stream stream, Memory`1 buffer, CancellationToken cancellationToken)

[2024.02.02]    at System.Net.Security.SslStream.EnsureFullTlsFrameAsync[TIOAdapter](CancellationToken cancellationToken, Int32 estimatedSize)

[2024.02.02]    at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token)

[2024.02.02]    at System.Net.Security.SslStream.ReceiveHandshakeFrameAsync[TIOAdapter](CancellationToken cancellationToken)

[2024.02.02]    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)

[2024.02.02]    at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions)

[2024.02.02]    at SmarterMail.Protocols.Common.PooledTcpItem.ConvertToSSL(db_system_binding_port setting, Log log, String sessionId)

[2024.02.02]    at SmarterMail.Protocols.Common.PooledTcpItem.ConvertToSSL(db_system_binding_port setting)

[2024.02.02]    at SmarterMail.Protocols.SMTP.SMTPSession.STARTTLS()

[2024.02.02] 11:15:08.469 [168.119.147.146][15015143] disconnected at 02/02/2024 11:15:08

Is there a problem with the fallback mechanism?

[2024.02.02] 11:15:08.447 [168.119.147.146][15015143] SNI using fallback binding certificate _.mailmessage.it.pfx for mailx.mailmessage.it.

[2024.02.02] 11:15:08.465 [168.119.147.146][15015143] rsp: 554 Security failure

I don't know how many of you this might be of interest to, I also have an open ticket on this.

I set up a mailmessage.it test server and bought a paid certificate to do the tests.

I'll explain what I discovered about certificates:

.............................................................................


After many tests I'll tell you what I discovered

The problem occurs when the fallback certificate is used

I don't know why https://ssl-tools.net/mailservers/mailmessage.it does not pass the SNI and therefore the fallback certificate is used

If you put a wildcard certificate as a fallback certificate it gives the error in the test.

I then generated a new multi-domain certificate (not the free ones).

Common Name (CN) mailx.mailmessage.it

Alternative Names

imap.mailmessage.it

mail.mailmessage.it

mailx.mailmessage.it

pop.mailmessage.it

smtp.mailmessage.it

If I use this certificate with fallback the test passes. However, if I use this certificate for IIS, only https://mailx.mailmessage.it works, i.e. only with the common name.

I was able to get a working setup this way.

In the centralized certificates folder I put the wildcard certificate _.mailmessage.it

In a folder (D:\SmarterMail\Certificates-fallback) I put the multidomain certificate and used it as a fallback certificate

This way everything seems to work.

You will wonder why all this.

I like the idea of SNI with letsencrypt but as the server's main certificate I would prefer to use a certificate issued by a more reliable certification body.

However, even if I wanted to use letsencrypt for all domains I find that the current configuration is lacking.

I'll explain.

If my server is mailmessage.it it is better for me to use a DNS name for each service. then imap.mailmessage.it smtp.mailmessage.it etc.

For the other domains I would like to be able to use only some DNS domains

mail.domainname.tld webmail.domainname.tld

This could be solved by adding an add to the automatic Certificates tab to insert custom domains.

Now the only possibility is in options in hostname prefixs, but in this case it would apply to all domains.