1
Secure Protocols and Bindings
Problem reported by Harland Adelaars - 5/2/2024 at 2:40 AM
Submitted
When I inspect the bindings in the configuration, I notice that nothing is automatically enabled for secure connections. POP, IMAP, and SMTP are only available on the default ports without TLS or SSL.

Why isn't secure email configured by default upon installation? It's a necessity in today's digital landscape.

Additionally, when adding ports, we're required to manually select a certificate. Why isn't this process automated based on the connections made? SmarterMail already has access to information about created certificates, so it should utilize that data.

For example, if I connect to mail.domain1.com, it should automatically use the corresponding certificate, and the same principle should apply to other domain names.

6 Replies

Reply to Thread
0
Patrick Jeski Replied
You can edit each port and select SSL or TLS, the port number will change automatically if applicable.

If the client uses SNI, the correct cert should be chosen automatically. If the client doesn't use SNI, the cert you manually configured is the backup.
1
Kyle Kerst Replied
Employee Post
Hi Harland, I'd be happy to help clarify here. First, SSL/TLS isn't set up by default because it requires administrator involvement currently, and isn't necessary in all deployments. We have quite a few customers who use SmarterMail in an offline environment which won't even support SSL, so this is available as an option above and beyond the defaults. 

As Patrick pointed out - the certificate selection you're doing in Settings>Bindings>Ports is a "fall-back" certificate in that this PFX will only be selected for STARTTLS/SSL IF a better certificate isn't found in the certificates directory as part of our SNI implementation. Usually I instruct customers to set this fallback cert as the system level hostname's SSL certificate so that if a client tries to connect on a domain that does not yet have SSL, they'll at least be able to continue the secure connectivity using your main hostname. 

I hope that helps!
Kyle Kerst System/Network Administrator SmarterTools Inc. www.smartertools.com
0
Dan Ritchey Replied
I'm trying to understand this myself.
So, if I'm using the automatic certificates, then I don't need to setup port bindings for SSL  (IMAP/S, STMPS, etc.) because its all taken care of automagically in the background?
0
Patrick Jeski Replied
Yes you still do need to setup the cert in bindings. Non-SNI MX connections are common. And also, it doesn’t matter whether the cert are automatic or not, the feature still works. 
0
Matt Petty Replied
Employee Post
The cert setup in bindings is used as a last-resort, if we don't find a matching cert in the automatic certificates area (or its not configured) we will then use the one in bindings. 

Like Patrick mentioned, sometimes during SMTP the server talking to us won't use SNI, so we have no way of knowing which cert should be used and thus it will use the one in bindings.

I could see the potential for moving away from the cert in bindings and then picking or adding a cert in the automatic area and then designate it as the "default", we'd be able to migrate this automatically for current installs.
Matt Petty Software Developer SmarterTools Inc. www.smartertools.com
2
Patrick Jeski Replied
Just to clarify, automatic certificates don’t have to be configured. I have this working fine with CertifyTheWeb placing my certs in the configured SmarterMail certificates folder, they are used for SNI. 

Reply to Thread