Back to Community Threads
TLS and SSL with multiple Subject Alternative Names?
Question asked by Dave Beckstrom - 3/20/2024 at 5:22 AM
Unanswered
D
I'm running an older version of smartermail - Enterprise 15.7 which suits my needs.  It doesn't have automatic SSL certificates.

I recently enabled TLS and installed a LetsEncrypt SSL with multiple domains on the same cert and I bound that to the appropriate ports in smartermail.

Now when I set up outlook and I tell it to use STARTTLS as the encryption instead of SSL/TLS I get an error message in outlook that "the target principal name is incorrect"

I have a few questions:

1) Should outlook be set to SSL/TLS or STARTTLS when configuring an email account?  I'm newly using IMAP instead of POP.

2) Smartermail binds the certificate to a port (e.g. 143)  I assume since I only have 3 or 4 domains that I could get an SSL for each domain and resolve that error.  However, since only 1 cert can be associated with the PORT I have no idea how each domain could have its own cert.
D
Douglas Foster Replied
3/21/2024 at 6:37 AM
Several things to look at:
1) Does your Outlook client have the correct root certificate for your new Lets Encrypt certificate?

2) Is the Outlook client connecting to your server using an IP address or a host name, and is it using the correct host name?   Outlook is connecting to the server, not to the domain, so I think you have to use the host name configured in System Admin, even if you have unique names for each webmail domain.

3) SmarterMail uses terminology in a confusing way.   When configuring ports for SmarterMail, "SSL" means mandatory encryption, while "TLS" means optional encryption using STARTTLS.    They should change the labelling to match outlook:   SSL/TLS for mandatory and STARTTLS for optional.   

You need STARTTLS for port 25, because it has to be upward compatible with original email technology that did not use encryption at all.  The remote server connects, the local server responds indicating support for STARTTLS, and then the remote server requests switchover to encryption mode.    Within SmarterMail, this means that port 25 must be configured with the "TLS" setting.

For client connections, the client and server should know that both ends can do encryption.   Best practice is to make encryption mandatory, not optional.   This means that you want to use a submission port set to "SSL" in SmarterMail.   Within Outlook, mandatory encryption is specified by using the "SSL/TLS" option rather than "STARTTLS".   Both ends need to match.   
  • If SmarterMail is configured for "TLS" (optional encryption, then Outlook must be set to "STARTTLS".
  • If SmarterMail is set to "SSL" (mandatory encryption), then Outlook must be set to "SSL/TLS".T
Used properly, the names SSL and TLS refer to protocol versions.   SSL 3 is an old encryption algorithm which has been deprecated as insecure.  (STARTTLS became available as part of TLS1.0)   SSL 3 was superseded by TLS1.0, TLS1.1, TLS1.2, and then TLS1.3.   Currently, anything before TLS1.2 is considered insecure.  The actual protocol version used is determined by what protocols are allowed in your system configuration, not by the port settings.    SmarterMail uses operating system protocol options by default, but the system administrator can configure SmarterMail to use only a subset of the ones supported by the operating system.   It cannot support protocols that are not available in the operating system.   TLS1.3 requires a very recent version of Windows,  I think it is standard in Server 2021 and maybe available as an add-on in Server 2019, but not available at all in older systems.
Travis Smith Replied
10/15/2025 at 12:08 AM

  1. When setting up Outlook with SmarterMail, it’s best to use SSL/TLS instead of STARTTLS, as SSL/TLS establishes a secure connection immediately, reducing certificate mismatch issues. STARTTLS upgrades an existing connection, which can trigger the “target principal name is incorrect” error if the certificate’s Common Name (CN) or SANs don’t match the domain you’re connecting to.

  2. SmarterMail 15.7 allows only one certificate per port, so even if you have multiple domains, only one SSL/TLS certificate can be bound to a specific service port (e.g., 143 for IMAP). To fix this, ensure your Let’s Encrypt certificate includes all your domains under the SAN field, so one cert can serve all.

  3. If that’s not possible, you can assign different ports per domain with unique certificates, but this requires custom client configurations.

  4. Make sure Outlook connects to the exact domain name listed on the certificate (e.g., mail.yourdomain.com).

  5. Also, check your TLS version; enabling TLS 1.2 or TLS 1.3 in both SmarterMail and Outlook provides stronger encryption and better compatibility with modern clients.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
Configure SSL/TLS to Secure SmarterMailSmarterMail > Server Configuration and Management
Trouble Connecting Apple Mail Using MAPI/EWSSmarterMail > Troubleshooting
Troubleshooting Tips for Online MeetingsSmarterMail > Troubleshooting