You can edit each port and select SSL or TLS, the port number will change automatically if applicable.

If the client uses SNI, the correct cert should be chosen automatically. If the client doesn't use SNI, the cert you manually configured is the backup.

Hi Harland, I'd be happy to help clarify here. First, SSL/TLS isn't set up by default because it requires administrator involvement currently, and isn't necessary in all deployments. We have quite a few customers who use SmarterMail in an offline environment which won't even support SSL, so this is available as an option above and beyond the defaults. 

As Patrick pointed out - the certificate selection you're doing in Settings>Bindings>Ports is a "fall-back" certificate in that this PFX will only be selected for STARTTLS/SSL IF a better certificate isn't found in the certificates directory as part of our SNI implementation. Usually I instruct customers to set this fallback cert as the system level hostname's SSL certificate so that if a client tries to connect on a domain that does not yet have SSL, they'll at least be able to continue the secure connectivity using your main hostname. 

I hope that helps!

I'm trying to understand this myself.

So, if I'm using the automatic certificates, then I don't need to setup port bindings for SSL  (IMAP/S, STMPS, etc.) because its all taken care of automagically in the background?

Yes you still do need to setup the cert in bindings. Non-SNI MX connections are common. And also, it doesn’t matter whether the cert are automatic or not, the feature still works. 

The cert setup in bindings is used as a last-resort, if we don't find a matching cert in the automatic certificates area (or its not configured) we will then use the one in bindings. 

Like Patrick mentioned, sometimes during SMTP the server talking to us won't use SNI, so we have no way of knowing which cert should be used and thus it will use the one in bindings.

I could see the potential for moving away from the cert in bindings and then picking or adding a cert in the automatic area and then designate it as the "default", we'd be able to migrate this automatically for current installs.

Just to clarify, automatic certificates don’t have to be configured. I have this working fine with CertifyTheWeb placing my certs in the configured SmarterMail certificates folder, they are used for SNI.