TLS and SSL with multiple Subject Alternative Names?
Question asked by Dave Beckstrom - 3/20/2024 at 5:22 AM
I'm running an older version of smartermail - Enterprise 15.7 which suits my needs.  It doesn't have automatic SSL certificates.

I recently enabled TLS and installed a LetsEncrypt SSL with multiple domains on the same cert and I bound that to the appropriate ports in smartermail.

Now when I set up outlook and I tell it to use STARTTLS as the encryption instead of SSL/TLS I get an error message in outlook that "the target principal name is incorrect"

I have a few questions:

1) Should outlook be set to SSL/TLS or STARTTLS when configuring an email account?  I'm newly using IMAP instead of POP.

2) Smartermail binds the certificate to a port (e.g. 143)  I assume since I only have 3 or 4 domains that I could get an SSL for each domain and resolve that error.  However, since only 1 cert can be associated with the PORT I have no idea how each domain could have its own cert.

1 Reply

Reply to Thread
Douglas Foster Replied
Several things to look at:
1) Does your Outlook client have the correct root certificate for your new Lets Encrypt certificate?

2) Is the Outlook client connecting to your server using an IP address or a host name, and is it using the correct host name?   Outlook is connecting to the server, not to the domain, so I think you have to use the host name configured in System Admin, even if you have unique names for each webmail domain.

3) SmarterMail uses terminology in a confusing way.   When configuring ports for SmarterMail, "SSL" means mandatory encryption, while "TLS" means optional encryption using STARTTLS.    They should change the labelling to match outlook:   SSL/TLS for mandatory and STARTTLS for optional.   

You need STARTTLS for port 25, because it has to be upward compatible with original email technology that did not use encryption at all.  The remote server connects, the local server responds indicating support for STARTTLS, and then the remote server requests switchover to encryption mode.    Within SmarterMail, this means that port 25 must be configured with the "TLS" setting.

For client connections, the client and server should know that both ends can do encryption.   Best practice is to make encryption mandatory, not optional.   This means that you want to use a submission port set to "SSL" in SmarterMail.   Within Outlook, mandatory encryption is specified by using the "SSL/TLS" option rather than "STARTTLS".   Both ends need to match.   
  • If SmarterMail is configured for "TLS" (optional encryption, then Outlook must be set to "STARTTLS".
  • If SmarterMail is set to "SSL" (mandatory encryption), then Outlook must be set to "SSL/TLS".T
Used properly, the names SSL and TLS refer to protocol versions.   SSL 3 is an old encryption algorithm which has been deprecated as insecure.  (STARTTLS became available as part of TLS1.0)   SSL 3 was superseded by TLS1.0, TLS1.1, TLS1.2, and then TLS1.3.   Currently, anything before TLS1.2 is considered insecure.  The actual protocol version used is determined by what protocols are allowed in your system configuration, not by the port settings.    SmarterMail uses operating system protocol options by default, but the system administrator can configure SmarterMail to use only a subset of the ones supported by the operating system.   It cannot support protocols that are not available in the operating system.   TLS1.3 requires a very recent version of Windows,  I think it is standard in Server 2021 and maybe available as an add-on in Server 2019, but not available at all in older systems.

Reply to Thread