Back to Community Threads
SSL PFX installed but the url is not secured // smartermail with ubuntu
Problem reported by AGUEMOUN Mohamed Amine - 4/18/2025 at 5:37 AM
Submitted
hello team 

i have installed smartermail with ubuntu 24 LTS , but after exporting the ssl pfx format the URL could not be secured : 


total 4
drwxr-xr-x  7 root root   84 Apr 14 14:46 ./
drwxr-xr-x  3 root root   25 Apr 14 14:03 ../
drwxr-xr-x  2 root root   69 Apr 17 17:49 Certificates/
drwxr-xr-x  3 root root   34 Apr 17 17:45 Domains/
drwxr-xr-x  2 root root 4096 Apr 18 01:39 Logs/
drwxr-xr-x  2 root root    6 Apr 14 14:03 Quarantine/
drwxr-xr-x 13 root root  188 Apr 17 17:45 Spool/
@smartermail:/var/data/smartermail# date
Fri Apr 18 12:35:12 PM UTC 2025

till now it cannot be work !! 

tcp        0      0 127.0.1.1:5222          0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:389           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:143           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:110           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.1.1:143           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.1.1:25            0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.1.1:110           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.1.1:389           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.1.1:587           0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      117532/sshd: smarte
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.1:5222          0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      1084/systemd-resolv
tcp        0      0 10.250.8.182:587        0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 10.250.8.182:143        0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 10.250.8.182:25         0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 10.250.8.182:110        0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 10.250.8.182:389        0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 10.250.8.182:5222       0.0.0.0:*               LISTEN      116843/MailService
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1084/systemd-resolv
tcp6       0      0 fe80::250:56ff:fea4:389 :::*                    LISTEN      116843/MailService
tcp6       0      0 fe80::250:56ff:fea4:110 :::*                    LISTEN      116843/MailService
tcp6       0      0 fe80::250:56ff:fea4::25 :::*                    LISTEN      116843/MailService
tcp6       0      0 fe80::250:56ff:fea4:143 :::*                    LISTEN      116843/MailService
tcp6       0      0 fe80::250:56ff:fea4:587 :::*                    LISTEN      116843/MailService
tcp6       0      0 ::1:6010                :::*                    LISTEN      117532/sshd: smarte
tcp6       0      0 ::1:5222                :::*                    LISTEN      116843/MailService
tcp6       0      0 ::1:587                 :::*                    LISTEN      116843/MailService
tcp6       0      0 ::1:110                 :::*                    LISTEN      116843/MailService
tcp6       0      0 ::1:25                  :::*                    LISTEN      116843/MailService
tcp6       0      0 ::1:143                 :::*                    LISTEN      116843/MailService
tcp6       0      0 ::1:389                 :::*                    LISTEN      116843/MailService
tcp6       0      0 fe80::250:56ff:fea:5222 :::*                    LISTEN      116843/MailService
tcp6       0      0 :::22                   :::*                    LISTEN      1/init
udp        0      0 127.0.0.54:53           0.0.0.0:*                           1084/systemd-resolv
udp        0      0 127.0.0.53:53           0.0.0.0:*                           1084/systemd-resolv


can anyone help us on this ?
br
Tony Scholz Replied
4/18/2025 at 9:13 AM
Employee Post
Hello, 

Are you using the built-in web server(kestral)? If so, you will want to make sure that the certificates are stored in the mapped folder and secured with the password provided.

To find the Certificates folder and password, you will want to go to Settings -> SSL Certificates -> Options [tab] -> Options [card]


The cert files

tree /var/lib/smartermail/Certificates/
/var/lib/smartermail/Certificates/
├── autodiscover.tony.smartermail.io.pfx
├── certificates.jsonl
├── mail.tony.smartermail.io.pfx
├── tony.smartermail.io.key
└── tony.smartermail.io.pfx

1 directory, 5 files

Then using NMAP to test

nmap --script ssl-cert tony.smartermail.io -p443
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-18 09:13 MST
Nmap scan report for tony.smartermail.io (68.15.153.37)
Host is up (0.00035s latency).
rDNS record for 68.15.153.37: wsip-68-15-153-37.ph.ph.cox.net

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=tony.smartermail.io
| Subject Alternative Name: DNS:tony.smartermail.io
| Issuer: commonName=E5/organizationName=Let's Encrypt/countryName=US
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA384
| Not valid before: 2025-02-21T21:24:42
| Not valid after:  2025-05-22T21:24:41
| MD5:   9dfa:d15b:6780:1b26:bc9e:125e:8e33:39ce
|_SHA-1: 7d6b:97c3:08f9:0bbc:a928:1083:d59b:6d30:c018:426a

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
AGUEMOUN Mohamed Amine Replied
4/18/2025 at 1:09 PM
hello tony 

yes i'm using the built in web server smartermail : 

 tree var/lib/smartermail/Certificates/
var/lib/smartermail/Certificates/
├── certificates.jsonl
└── icosnethost.pfx

1 directory, 2 files


but still the url is not secured via https


below nmap shows that there is no SSL cover : 

 
nmap --script ssl-cert  -p443
Starting Nmap 7.94SVN at 2025-04-18 21:03 CET
Nmap scan report for smail_icosnethosting_com (197.140.16.182)
Host is up (0.0013s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

you help will be appreciated , 

the certificate authority is sectigo , the url used to generate the pfx is  interssl_com then the certificate was imported from my windows laptop directly to smartermail via web interface 

we will launch the service this sunday and we still have this issue ,

br
AGUEMOUN Mohamed Amine Replied
4/18/2025 at 1:36 PM
 
l:/# openssl pkcs12 -info -in var/lib/smartermail/Certificates/icosnethost.pfx -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 89 1A 50 9A 31 AC 2A 68 6E A1 63 07 63 A1 C1 FA 34 0C 11 6E
subject=CN = *.icosnethosting.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
N
Nathan Replied
4/18/2025 at 1:44 PM
It does not work with wildcard certificates - we found this out earlier this year. I should probably have reported it to support.

As soon as we switched to non-wildcard certificates from the same CA they started working. (Sectigo like you).

We encountered this on Debian 12, though the issue appears to the SM rather than OS related.
AGUEMOUN Mohamed Amine Replied
4/18/2025 at 1:50 PM
hello nathan 

thank you for your response 

what about windows server environement ? did this work ?

appending your reply 

best regards 
N
Nathan Replied
4/18/2025 at 4:20 PM
We migrated from an older version to the latest Linux compatible builds so I cannot say if the wildcard certificate issue was specific to running the latest build in general or if it Linux specific. On the older version (the last non-Linux compatible) we used wildcard certificates for years without problems but this is IIS based rather than Kestrel.

It would be good if anyone else can confirm if they are using a wildcard cert (via a pfx) with the Linux builds.
AGUEMOUN Mohamed Amine Replied
4/18/2025 at 4:58 PM
hello nathan 

thank you so much for your response , i don't know if @tony could help us on this ,

are you using smartermail for your customers (shared mail hosting) or just for the entreprise ?

since we will launch the service to our customers this week , it will be better to deploy it in windows environnement since lot of are exploring wildcards certificate ,

if any one else could help we will appreciate it , 

br 
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management