ssl certificate
Idea shared by Sabatino - 2/7/2024 at 10:28 AM
I find the configuration at server level on the automatic generation of certificates incorrect.
it is a setting that ends up considering all domains the same, and all with the same personalized hostnames

In my opinion it should be moved to domain level. Each domain should have the option to enable/disable automatic certificate generation and its custom hostnames.
obviously inherited from domain default

  And then I don't really understand this fallback thing.
If I issued a personalized certificate to a customer, for example
mail.customers.tld and he connects to his client, if the sni is not activated and he switches to the fallback certificate this will be a certificate for my server name i.e. mail.myserver.tld so he would tell me that the certificate is incorrect.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

4 Replies

Reply to Thread
I agree
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Zach Sylvester Replied
Employee Post
Hey Sabatino, 

When this feature was in beta it was originally at the domain level. But then we realized that this should be done at the system level because domain admins are most often the end users and they would not always understand what a certificate is and how it should be set up etc. So we concluded that the SSL configuration should be the responsibility of the system admin and moved it to the system level. The fallback cert is there in case the domain doesn't have a certificate because while they would get a certificate error SSL/TLS would still work. In most cases and configurations SSL and hostnames will be universal on domains that are hosted on the same server. This is how most people's SmarterMail servers are configured that I've looked at. 

But please let me know what you think and what your argument is for this and I will put it in the feature request. 

Kind Regards, 

Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
But I certainly didn't mean to let domain administrators manage SSL.
Still at system administration, but at the individual domain level.
Already now, not everything that is set at the domain level can be managed by the domain administrator (for example: quotas, features, security)

So you could manage SSL at the domain level without giving the domain administrator access to it
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy

Reply to Thread