from 8664 to 8776
Question asked by Sabatino - 1/16/2024 at 10:06 AM
I'm planning the big update
from 8664 to 8776

However I am quite worried

Cloning the VM to see if everything goes well is not a viable option: too much space and then I wouldn't be able to test the certificates anyway as the IP would not be the corresponding one in the DNS

For this reason, here are some doubts that I still have.
I will definitely install ARR first too in order to avoid unnecessary obstacles

My doubt remains on ssl
From what I understand SM will create 1 or more bindings for each domain in IIS
Sni works on IIS but will it also work on SMTP, Imap etc. protocols?
I'll explain.
So far I have had most of my clients connect by giving
smtp.mymailserver.tld , imap.mymailserver.tld, pop.mymailserver.tld etc. etc.

Only for some domains I have created a certificate especially for them and therefore they have mail.theirdomain.tld

Now the intention is to create a non-free certificate *.miomailserver.tld and use that as the main one
So from what I understand I create the pfx with password and deposit it in the centralized certificates folder and configure sm to read the certificates with that password.
I exclude mymailserver.tld from autogeneration (which exists in the mail domains of my SM)

Now does SM bindind with the right certificate in IIS or do I have to do it manually? Will this configuration described work?
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

11 Replies

Reply to Thread
Heimir Eidskrem Replied
I have the same concern.
Not sure how to integrate Certifytheweb with the new SNI.
Have not looked at it yet.

Kyle Kerst Replied
Employee Post
SNI works regardless of whether your certificates are generated by SmarterMail or by CertifyTheWeb. As long as there is a PFX in your certificates directory (defined in Settings>SSL Certificates) that matches the hostname being requested by the user/client it will serve that PFX file, otherwise we fall back to the PFX defined in Settings>Bindings>Ports. With that being said, you won't be able to use both Certify and our certificate generation because CertifyTheWeb hijacks incoming .well-known requests preventing us from validating hostnames for you.
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
I have the same problem/doubt as Sabatino...

My SmarterMail v.8664 server has the Let'sEncrypt certificate (made with CerifyTheWeb) linked to its FQDN (myservername.mydomain.com) and all users connect to this FQDN (also the AUTODISCOVER records of the various customer domains point to myservername.mydomain.com).

None of my clients' domains have their own custom FQDN (none of them have an FQDN like "MAIL.CUSTOMERDOMAIN.COM").

So everything works great without any problems.

Now in the transition to the new version I seem to have understood that SNI management automates the management of certificates for each individual customer domain, BUT NOT for the FQDN of the server itself.

Did I get it right?
If so, how can I activate SNI management while also maintaining the server FQDN certificate at the same time as those of the individual customer domains without there being any problems?

I ask this because if after the upgrade the "myserver.mydomain.com" certificate was no longer valid/renewable and I was forced to use the various "mail.customerdomain.com" FQDNs customized for each customer, this would involve an enormous amount of reconfigurations, both on the DNS side (to modify the references of the various "autodiscover"), but above all on the client side, because every single user should reconfigure his MS Outlook (or any other client software he is using...)
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
We use bindings in IIS and seperate certificates for each customer.

In our Smartermail setup only one pfx is used (our own certificates).
So if we change something then only one place has to be changed and everything will follow.
Sabatino Replied
Hi @Gabriele
Today I will install a test VM and test the configuration described. Let's see if it works as I expect
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
Here I am.
I created a test vm trying to set it as similar as possible to my main server in production with SM version 8464

The test server is mailmessage.it
with the classic method I created, via certifytheweb, certificate for
DNS Name=imap.mailmessage.it
DNS Name=mailx.mailmessage.it
DNS Name=pop.mailmessage.it
DNS Name=smtp.mailmessage.it
DNS Name=smtp1.mailmessage.it
DNS Name=webmail.mailmessage.it

I created a couple of additional domains and created some email boxes by doing a restore (attach user) with the data of large boxes and/or particular characteristics.

Created the various bindings.
Everything working.

I have pre-installed ARR, net 8 and URL Rewrite Module 2

Uninstalled 8664 and installed 8776

Everything seems to have gone well.
A few tests and it seems there are no problems.

Next step, SSL autogeneration
And here I started to have problems.

1) uninstalled certifytheweb
2) Purchased a *.mailmessage.it wildcard certificate from certum
3) Set the centralized certificates folder in iis to D:\SmarterMail\Certificates and also an SM with the same certificate pass and using the admin account for access in iis (therefore certainly accessible)

Fixed various port bindings to refer to this new certificate.
Changed iis bindings to reference centralized certificate
4) Set in automatic Certificates everything that refers to .mailmessage.it to disabled status, since I have loaded a *.mailmessage.it certificate

Various problems:
1) self-generation takes more than 8 hours and it's not clear why, when with certifytheweb it is practically immediate
2) the wildcard certificate doesn't seem to work.
the server does not seem to use identify the correct certificate

But not even iis
From clients (em client) using imap.mailmessage.it it says that the certificate is incorrect

Self-generated certificates on the other hand seem to work correctly

I opened a ticket and am waiting for a response.

I attach some photos

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied

Thanks to Tony Scholz who solved the problem.
To use wildcard certificates with iis the pfx file must have a name

The follies of IIS.

I also installed the 8790 and I'll let you know how it goes.

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
I updated the ticket because this test often gives me errors

Not always, but often. It doesn't seem to happen to me with autogenerated ssl. I don't know if it's a real problem.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
Unfortunately I have not yet received a certain response from the ticket.
I keep getting error from

and I don't understand if it's a problem with ssl-tools.net or the fact that there are problems with wildcard certificates

I see that while testing ssl-tools in the log I have the following error:

[2024.02.02] 11:15:08.396 [][15015143] rsp: 220 smtp.mailmessage.it
[2024.02.02] 11:15:08.397 [][15015143] connected at 02/02/2024 11:15:08
[2024.02.02] 11:15:08.398 [][15015143] Country code: DE
[2024.02.02] 11:15:08.413 [][15015143] cmd: EHLO ssl-tools.net
[2024.02.02] 11:15:08.416 [][15015143] rsp: 250-smtp.mailmessage.it Hello []250-SIZE 699050666250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2024.02.02] 11:15:08.431 [][15015143] cmd: STARTTLS
[2024.02.02] 11:15:08.432 [][15015143] rsp: 220 Start TLS negotiation
[2024.02.02] 11:15:08.447 [][15015143] SNI using fallback binding certificate _.mailmessage.it.pfx for mailx.mailmessage.it.
[2024.02.02] 11:15:08.465 [][15015143] rsp: 554 Security failure
[2024.02.02] 11:15:08.467 [][15015143] Exception negotiating TLS session: System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
[2024.02.02]  ---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
[2024.02.02]    at System.Net.Sockets.NetworkStream.Read(Span`1 buffer)
[2024.02.02]    --- End of inner exception stack trace ---
[2024.02.02]    at System.Net.Sockets.NetworkStream.Read(Span`1 buffer)
[2024.02.02]    at System.Net.Security.SyncReadWriteAdapter.ReadAsync(Stream stream, Memory`1 buffer, CancellationToken cancellationToken)
[2024.02.02]    at System.Net.Security.SslStream.EnsureFullTlsFrameAsync[TIOAdapter](CancellationToken cancellationToken, Int32 estimatedSize)
[2024.02.02]    at System.Runtime.CompilerServices.PoolingAsyncValueTaskMethodBuilder`1.StateMachineBox`1.System.Threading.Tasks.Sources.IValueTaskSource<TResult>.GetResult(Int16 token)
[2024.02.02]    at System.Net.Security.SslStream.ReceiveHandshakeFrameAsync[TIOAdapter](CancellationToken cancellationToken)
[2024.02.02]    at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
[2024.02.02]    at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions)
[2024.02.02]    at SmarterMail.Protocols.Common.PooledTcpItem.ConvertToSSL(db_system_binding_port setting, Log log, String sessionId)
[2024.02.02]    at SmarterMail.Protocols.Common.PooledTcpItem.ConvertToSSL(db_system_binding_port setting)
[2024.02.02]    at SmarterMail.Protocols.SMTP.SMTPSession.STARTTLS()
[2024.02.02] 11:15:08.469 [][15015143] disconnected at 02/02/2024 11:15:08

Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
Is there a problem with the fallback mechanism?

[2024.02.02] 11:15:08.447 [][15015143] SNI using fallback binding certificate _.mailmessage.it.pfx for mailx.mailmessage.it.
[2024.02.02] 11:15:08.465 [][15015143] rsp: 554 Security failure
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
Sabatino Replied
I don't know how many of you this might be of interest to, I also have an open ticket on this.
I set up a mailmessage.it test server and bought a paid certificate to do the tests.

I'll explain what I discovered about certificates:


After many tests I'll tell you what I discovered

The problem occurs when the fallback certificate is used

I don't know why https://ssl-tools.net/mailservers/mailmessage.it does not pass the SNI and therefore the fallback certificate is used

If you put a wildcard certificate as a fallback certificate it gives the error in the test.

I then generated a new multi-domain certificate (not the free ones).
Common Name (CN) mailx.mailmessage.it
Alternative Names

If I use this certificate with fallback the test passes. However, if I use this certificate for IIS, only https://mailx.mailmessage.it works, i.e. only with the common name.

I was able to get a working setup this way.
In the centralized certificates folder I put the wildcard certificate _.mailmessage.it
In a folder (D:\SmarterMail\Certificates-fallback) I put the multidomain certificate and used it as a fallback certificate
This way everything seems to work.

You will wonder why all this.
I like the idea of SNI with letsencrypt but as the server's main certificate I would prefer to use a certificate issued by a more reliable certification body.
However, even if I wanted to use letsencrypt for all domains I find that the current configuration is lacking.
I'll explain.
If my server is mailmessage.it it is better for me to use a DNS name for each service. then imap.mailmessage.it smtp.mailmessage.it etc.
For the other domains I would like to be able to use only some DNS domains
mail.domainname.tld webmail.domainname.tld
This could be solved by adding an add to the automatic Certificates tab to insert custom domains.
Now the only possibility is in options in hostname prefixs, but in this case it would apply to all domains.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Reply to Thread