SSL PFX installed but the url is not secured // smartermail with ubuntu

Problem reported by AGUEMOUN Mohamed Amine - Yesterday at 5:37 AM

Submitted

hello team

i have installed smartermail with ubuntu 24 LTS , but after exporting the ssl pfx format the URL could not be secured :

total 4

drwxr-xr-x 7 root root 84 Apr 14 14:46 ./

drwxr-xr-x 3 root root 25 Apr 14 14:03 ../

drwxr-xr-x 2 root root 69 Apr 17 17:49 Certificates/

drwxr-xr-x 3 root root 34 Apr 17 17:45 Domains/

drwxr-xr-x 2 root root 4096 Apr 18 01:39 Logs/

drwxr-xr-x 2 root root 6 Apr 14 14:03 Quarantine/

drwxr-xr-x 13 root root 188 Apr 17 17:45 Spool/

@smartermail:/var/data/smartermail# date

Fri Apr 18 12:35:12 PM UTC 2025

till now it cannot be work !!

tcp 0 0 127.0.1.1:5222 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:143 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:110 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.1.1:143 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.1.1:25 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.1.1:110 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.1.1:389 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.1.1:587 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 117532/sshd: smarte

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.1:5222 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 1084/systemd-resolv

tcp 0 0 10.250.8.182:587 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 10.250.8.182:143 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 10.250.8.182:25 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 10.250.8.182:110 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 10.250.8.182:389 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 10.250.8.182:5222 0.0.0.0:* LISTEN 116843/MailService

tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1084/systemd-resolv

tcp6 0 0 fe80::250:56ff:fea4:389 :::* LISTEN 116843/MailService

tcp6 0 0 fe80::250:56ff:fea4:110 :::* LISTEN 116843/MailService

tcp6 0 0 fe80::250:56ff:fea4::25 :::* LISTEN 116843/MailService

tcp6 0 0 fe80::250:56ff:fea4:143 :::* LISTEN 116843/MailService

tcp6 0 0 fe80::250:56ff:fea4:587 :::* LISTEN 116843/MailService

tcp6 0 0 ::1:6010 :::* LISTEN 117532/sshd: smarte

tcp6 0 0 ::1:5222 :::* LISTEN 116843/MailService

tcp6 0 0 ::1:587 :::* LISTEN 116843/MailService

tcp6 0 0 ::1:110 :::* LISTEN 116843/MailService

tcp6 0 0 ::1:25 :::* LISTEN 116843/MailService

tcp6 0 0 ::1:143 :::* LISTEN 116843/MailService

tcp6 0 0 ::1:389 :::* LISTEN 116843/MailService

tcp6 0 0 fe80::250:56ff:fea:5222 :::* LISTEN 116843/MailService

tcp6 0 0 :::22 :::* LISTEN 1/init

udp 0 0 127.0.0.54:53 0.0.0.0:* 1084/systemd-resolv

udp 0 0 127.0.0.53:53 0.0.0.0:* 1084/systemd-resolv

can anyone help us on this ?

7 Replies

Reply to Thread

Tony Scholz Replied

Yesterday at 9:13 AM

Employee Post

Hello,

Are you using the built-in web server(kestral)? If so, you will want to make sure that the certificates are stored in the mapped folder and secured with the password provided.

To find the Certificates folder and password, you will want to go to Settings -> SSL Certificates -> Options [tab] -> Options [card].

The cert files

tree /var/lib/smartermail/Certificates/
/var/lib/smartermail/Certificates/
├── autodiscover.tony.smartermail.io.pfx
├── certificates.jsonl
├── mail.tony.smartermail.io.pfx
├── tony.smartermail.io.key
└── tony.smartermail.io.pfx

1 directory, 5 files

Then using NMAP to test

nmap --script ssl-cert tony.smartermail.io -p443
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-18 09:13 MST
Nmap scan report for tony.smartermail.io (68.15.153.37)
Host is up (0.00035s latency).
rDNS record for 68.15.153.37: wsip-68-15-153-37.ph.ph.cox.net

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=tony.smartermail.io
| Subject Alternative Name: DNS:tony.smartermail.io
| Issuer: commonName=E5/organizationName=Let's Encrypt/countryName=US
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA384
| Not valid before: 2025-02-21T21:24:42
| Not valid after:  2025-05-22T21:24:41
| MD5:   9dfa:d15b:6780:1b26:bc9e:125e:8e33:39ce
|_SHA-1: 7d6b:97c3:08f9:0bbc:a928:1083:d59b:6d30:c018:426a

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com

AGUEMOUN Mohamed Amine Replied

Yesterday at 1:09 PM

hello tony

yes i'm using the built in web server smartermail :

tree var/lib/smartermail/Certificates/

var/lib/smartermail/Certificates/

├── certificates.jsonl

└── icosnethost.pfx

1 directory, 2 files

but still the url is not secured via https

below nmap shows that there is no SSL cover :

nmap --script ssl-cert  -p443
Starting Nmap 7.94SVN at 2025-04-18 21:03 CET
Nmap scan report for smail_icosnethosting_com (197.140.16.182)
Host is up (0.0013s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

you help will be appreciated ,

the certificate authority is sectigo , the url used to generate the pfx is interssl_com then the certificate was imported from my windows laptop directly to smartermail via web interface

we will launch the service this sunday and we still have this issue ,

AGUEMOUN Mohamed Amine Replied

Yesterday at 1:36 PM

l:/# openssl pkcs12 -info -in var/lib/smartermail/Certificates/icosnethost.pfx -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    localKeyID: 89 1A 50 9A 31 AC 2A 68 6E A1 63 07 63 A1 C1 FA 34 0C 11 6E
subject=CN = *.icosnethosting.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----

Nathan Replied

Yesterday at 1:44 PM

It does not work with wildcard certificates - we found this out earlier this year. I should probably have reported it to support.

As soon as we switched to non-wildcard certificates from the same CA they started working. (Sectigo like you).

We encountered this on Debian 12, though the issue appears to the SM rather than OS related.

AGUEMOUN Mohamed Amine Replied

Yesterday at 1:50 PM

hello nathan

thank you for your response

what about windows server environement ? did this work ?

appending your reply

best regards

Nathan Replied

Yesterday at 4:20 PM

We migrated from an older version to the latest Linux compatible builds so I cannot say if the wildcard certificate issue was specific to running the latest build in general or if it Linux specific. On the older version (the last non-Linux compatible) we used wildcard certificates for years without problems but this is IIS based rather than Kestrel.

It would be good if anyone else can confirm if they are using a wildcard cert (via a pfx) with the Linux builds.

AGUEMOUN Mohamed Amine Replied

Yesterday at 4:58 PM

hello nathan

thank you so much for your response , i don't know if @tony could help us on this ,

are you using smartermail for your customers (shared mail hosting) or just for the entreprise ?

since we will launch the service to our customers this week , it will be better to deploy it in windows environnement since lot of are exploring wildcards certificate ,

if any one else could help we will appreciate it ,

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text

7 Replies

Reply to Thread

Tags

Related Knowledge Base Articles