Configure SSL/TLS to Secure SmarterMail

This article applies to recent versions of SmarterMail. View articles for SmarterMail 15.x and earlier.

SSL/TLS are security protocols that allows the transmission of data to be encrypted. This allows users to access email through a third-party email client without the fear that someone has intercepted their data. SSL will encrypt the connection immediately upon connection. TLS will encrypt once the STARTTLS command is sent. TLS will need to be set up over port 25, 110, 143 and SSL over ports 465, 993, and 995.

NOTE: This article assumes you have obtained a copy of the certificate from your SSL provider and have installed it on your server within your certificate stores personal folder. If you have not done this, please do so prior to following the directions below.

Prior to configuring SmarterMail to be secured over SSL or TLS, the SSL certificate installed on the server must first be exported to a CER or PFX file that is password protected and contains the certificates private key information. (NOTE: PFX is recommended as it tends to be less problematic -- just make sure the password is extremely secure as PFX contains more information than a CER.)

Follow these steps to export your SSL certificate to a PFX certificate file (the process for CER is similar):

  1. Open up Microsoft Management Console (MMC)
  2. CTRL + M to add new Snap In -> Certificates -> Select Local Computer
  3. Expand Personal
  4. Expand Certificates
  5. Right click the Desired Certificate, select All Tasks -> Export
  6. In the new window that pops up Hit Next
  7. Select Yes, Export the Private Key and hit Next
  8. Enter in the desired password and hit next.
  9. Ensure Personal Information Exchange -PKCS #12 (PFX) is checked and also include all certificates in the certification path if possible and select next
  10. Enter in the path and name where you would like the certificate saved such as C:\SmarterMail\Certificates\mail.domain.com.pfx and click finish.

Follow these steps to add a port to listen over SSL or TLS:

  1. Log in to SmarterMail as the system administrator.
  2. Click the Settings icon.
  3. Click Bindings in the navigation pan and click the Ports tab.
  4. Click New in the content pane.
  5. Complete the following required fields: Protocol, Encryption (SSL or TLS), Name, Port, Certificate Path and password. All other fields are optional.
  6. Select the IP Address for the port to listen on.
  7. Click Save.

NOTE: Using similar steps as above, modify your existing standard ports (25, 110, 143, etc) to be encrypted with SSL or TLS.  

It is possible to secure the SmarterMail ports for different domains\certificates as well. The ports can be secured in two ways, one requiring a Unified Communications Certificate (UCC) and one method requires a unique IP address for each domain. 

  • For UCC configurations, the certificate can be configured to secure a variety of hostnames within it's SAN field, for example mail.domainA.com, mail.domainB.com, mail.domainC.com, etc. This certificate can then be exported following the instructions above and configured within SmarterMail to secure multiple domains.
  • If there are unique IP addresses assigned for each domain, each domain would need to have their own unique set of ports tied to the proper certificate and IP for the domain in question. For example, the administrator will need to create a set of port mappings for 25 (TLS), 110 (TLS), 143 (TLS), 465 (SSL), 993 (SSL), 995 (SSL), when creating these ports make sure to add a description to indicate which domain these port mappings belong to and point these ports to the proper certificate location. Next, these ports would need to be configured to listen on the IP Address assigned to the domain being configured. This process will need to be repeated for each Domain\IP that needs to be secured for the given domain.
Learn more about SmarterMail's enterprise email features and benefits.

Feedback

Hi - this has always confused me - The certificate - what domain does it need to be in? Or can you get a certificate for the IP Address??
Gary Hanley (11/24/2014 at 1:35 AM)
Gary,

The certificate is applied to the server itself within the Certificate Store for the local computer account. There is no specific domain that the certificate needs to reside under.

You can register this certificate for any valid FQDN. So for example, we have many customers who utilize a secure.domain.com DNS record and purchase a standard SSL certificate for secure.domain.com. They then tie this certificate within SmarterMail and for their clients that need SSL\TLS access they would then point them to secure.domain.com for SMTP\POP\IMAP over SSL\TLS.

Once the certificate has been installed onto your server after obtaining a copy from your SSL certificate provider you will want to follow the instructions for exporting the certificate into a base-64 formatted .cer file.

This CER file is then tied to your SmarterMail SSL ports that you configure under Settings -> Bindings -> Ports

You can then tie these SSL ports to specific IP addresses under Settings -> Bindings -> IP Addresses.

I hope this helps.

Von-Austin See (11/24/2014 at 8:12 AM)
Hey there, I exactly followed the steps above to get the certificate. As I would to install it in SM Enterprise 14.x, the System gives the message, that the path from the certificate file wasn't found. I attemped to use various filepaths, but the System continues to believe that there is no file.

What do I wrong?

Thanks for your help
Marcus

Win Server 2008 R2 Datacenter

Marcus Wollong (10/22/2017 at 9:14 AM)
Hi Marcus! Please ensure the account responsible for running the SmarterMail application pool within IIS has full control over the directory the certificate was placed in. Typically that would be 'Network Service', if you followed the steps above or used the install tool.
Andrea Free (10/24/2017 at 1:34 PM)
I am also having no luck with certificates in SM 16. I had no problem following the above instructions exactly, with no errors. However, once the certificate is applied as instructed, no mail can be retrieved using any secure method (POP3/IMAP - SSL/TLS).The same certificate works perfectly in securing a website. I also tried using a mail specific certificate, as suggested, and it made no difference.

mail.marvelous.com

Neil Colvin (12/6/2017 at 10:32 AM)
Neil,

You'll want to ensure the PFX file you exported does contain a valid private key. You can also install the OpenSSL binaries on a Windows machine and test the secure connections directly by leveraging the following commands:

If you wish to connect to a server using SSL, you can use openssl with the following command (note the default port is 465, not 25):

openssl s_client -crlf -connect remoteserver.com:465

To connect to your server using TLS, use the following:

SMTP: openssl s_client -starttls smtp -crlf -connect remoteserver.com:25
POP3: openssl s_client -starttls pop3 -crlf -connect remoteserver.com:110
IMAP: openssl s_client -starttls imap -crlf -connect remoteserver.com:143

If the handshake is failing, there's likely an issue with the certificates private key. If you were to open a ticket with our support department we should be able to get you up and running fairly quickly.

I hope this helps.

Von-Austin See (12/18/2017 at 10:54 AM)
Hi, I have setup SSL on my SM 16.x but having problem when the email cannot login to mail client using SSL. When I try login with non SSL it works fine. We checked the port like 993, 995, 143 and 465 is up.

Any idea in this issue what should I do?

Tech GB (4/22/2020 at 9:10 AM)
Did you fix your problem, or do you still need help?
Seph Parshall (5/28/2020 at 12:05 AM)
Hi, I have setup as the instructions on my SM 16.x but on checking through mxtoolbox.com, I get:
Warning - Does not support TLS.
What am I doing wrong, mails are sending and receiving ok, but I'm concerned they aren't secure?
Ports are open, SSL is installed and linked to in SM.
Thanks

YS Tech (4/22/2021 at 5:43 AM)
Hi,
How will the domain alias is secured with the ssl certificate for the main domain.
Thanks
RR

Ravi Reddy (11/12/2021 at 10:05 PM)
I had the same issue, installed everything and TLS wasn't working. The confusion is that if your site is already running, you shouldn't add NEW ports, just CHANGE the ports you already have and add the TLS certificate to them. I had two binding for each port, one unsecured and one with TLS. After deleting the unsecured ports, everything works fine...

Had to piece things together from multiple solutions for multiple versions of SM. :(

The port list https://portal.smartertools.com/kb/a2838/commonly-used-ports-for-smartermail.aspx

Jim Miles (12/11/2021 at 4:55 AM)