SSL/TLS are security protocols that allows the transmission of data to be encrypted. This allows users to access email through a third-party email client without the fear that someone has intercepted their data. SSL will encrypt the connection immediately upon connection. TLS will encrypt once the STARTTLS command is sent. TLS will need to be set up over port 25, 110, 143 and SSL over ports 465, 993, and 995.
NOTE: This article assumes you have obtained a copy of the certificate from your SSL provider and have installed it on your server within your certificate stores personal folder. If you have not done this, please do so prior to following the directions below.
Prior to configuring SmarterMail to be secured over SSL or TLS, the SSL certificate installed on the server must first be exported to a CER or PFX file that is password protected and contains the certificates private key information. (NOTE: PFX is recommended as it tends to be less problematic -- just make sure the password is extremely secure as PFX contains more information than a CER.)
Follow these steps to export your SSL certificate to a PFX certificate file (the process for CER is similar):
- Open up Microsoft Management Console (MMC)
- CTRL + M to add new Snap In -> Certificates -> Select Local Computer
- Expand Personal
- Expand Certificates
- Right click the Desired Certificate, select All Tasks -> Export
- In the new window that pops up Hit Next
- Select Yes, Export the Private Key and hit Next
- Enter in the desired password and hit next.
- Ensure Personal Information Exchange -PKCS #12 (PFX) is checked and also include all certificates in the certification path if possible and select next
- Enter in the path and name where you would like the certificate saved such as C:\SmarterMail\Certificates\mail.domain.com.pfx and click finish.
Follow these steps to add a port to listen over SSL or TLS:
- Log in to SmarterMail as the system administrator.
- Click the Settings icon.
- Click Bindings in the navigation pan and click the Ports tab.
- Click New in the content pane.
- Complete the following required fields: Protocol, Encryption (SSL or TLS), Name, Port, Certificate Path and password. All other fields are optional.
- Select the IP Address for the port to listen on.
- Click Save.
NOTE: Using similar steps as above, modify your existing standard ports (25, 110, 143, etc) to be encrypted with SSL or TLS.
It is possible to secure the SmarterMail ports for different domains\certificates as well. The ports can be secured in two ways, one requiring a Unified Communications Certificate (UCC) and one method requires a unique IP address for each domain.
- For UCC configurations, the certificate can be configured to secure a variety of hostnames within it's SAN field, for example mail.domainA.com, mail.domainB.com, mail.domainC.com, etc. This certificate can then be exported following the instructions above and configured within SmarterMail to secure multiple domains.
- If there are unique IP addresses assigned for each domain, each domain would need to have their own unique set of ports tied to the proper certificate and IP for the domain in question. For example, the administrator will need to create a set of port mappings for 25 (TLS), 110 (TLS), 143 (TLS), 465 (SSL), 993 (SSL), 995 (SSL), when creating these ports make sure to add a description to indicate which domain these port mappings belong to and point these ports to the proper certificate location. Next, these ports would need to be configured to listen on the IP Address assigned to the domain being configured. This process will need to be repeated for each Domain\IP that needs to be secured for the given domain.