Configure SSL/TLS to Secure SmarterMail

This article applies to recent versions of SmarterMail. View articles for SmarterMail 15.x and earlier.

SSL/TLS are security protocols that allows the transmission of data to be encrypted. This allows users to access email through a third-party email client without the fear that someone has intercepted their data. SSL will encrypt the connection immediately upon connection. TLS will encrypt once the STARTTLS command is sent. TLS will need to be set up over port 25, 110, 143 and SSL over ports 465, 993, and 995.

NOTE: This article assumes you have obtained a copy of the certificate from your SSL provider and have installed it on your server within your certificate stores personal folder. If you have not done this, please do so prior to following the directions below.

Prior to configuring SmarterMail to be secured over SSL or TLS, the SSL certificate installed on the server must first be exported to a PFX file that is password protected and contains the certificates private key information.
Follow these steps to export your SSL certificate to a PFX certificate file:
  1. Open up Microsoft Management Console (MMC)
  2. CTRL + M to add new Snap In -> Certificates -> Select Local Computer
  3. Expand Personal
  4. Expand Certificates
  5. Right click the Desired Certificate, select All Tasks -> Export
  6. In the new window that pops up Hit Next
  7. Select Yes, Export the Private Key and hit Next
  8. Enter in the desired password and hit next.
  9. Ensure Personal Information Exchange -PKCS #12 (PFX) is checked and also include all certificates in the certification path if possible and select next
  10. Enter in the path and name where you would like the certificate saved such as C:\SmarterMail\Certificates\mail.domain.com.pfx and click finish.

Follow these steps to add a port to listen over SSL or TLS:

  1. Log in to SmarterMail as the system administrator.
  2. Click the Settings icon.
  3. Click Bindings in the navigation pan and click the Ports tab.
  4. Click New in the content pane.
  5. Complete the following required fields: Protocol, Encryption (SSL or TLS), Name, Port, Certificate Path and password. All other fields are optional.
  6. Select the IP Address for the port to listen on.
  7. Click Save.

NOTE: Using similar steps as above, modify your existing standard ports (25, 110, 143, etc) to be encrypted with SSL or TLS.  

It is possible to secure the SmarterMail ports for different domains\certificates as well. The ports can be secured in two ways, one requiring a Unified Communications Certificate (UCC) and one method requires a unique IP address for each domain. 

  • For UCC configurations, the certificate can be configured to secure a variety of hostnames within it's SAN field, for example mail.domainA.com, mail.domainB.com, mail.domainC.com, etc. This certificate can then be exported following the instructions above and configured within SmarterMail to secure multiple domains.
  • If there are unique IP addresses assigned for each domain, each domain would need to have their own unique set of ports tied to the proper certificate and IP for the domain in question. For example, the administrator will need to create a set of port mappings for 25 (TLS), 110 (TLS), 143 (TLS), 465 (SSL), 993 (SSL), 995 (SSL), when creating these ports makes sure to add a description to indicate which domain these port mappings belong to and point these ports to the proper certificate location. Next these ports would need to be configured to listen on the IP Address assigned to the domain being configured. This process will need to be repeating for each Domain\IP that needs to be secured for the given domain.
Learn more about SmarterMail's enterprise email features and benefits.

Feedback

Add Feedback
This is either missing critical information or SmarterMail 11 is broken. All I get is "Certificate is invalid" even though I use the same multi-domain ev-certificate for my other domains without a problem.
Michael Hartmann (September 4, 2013 at 6:38 PM)
Michael - make sure the certificate is exported per the method described by your CA. The multi-domain cert isn't a problem as we have many customers running SmarterMail with standard UCC certs. If you're still having issues, it may be worthwhile to start a support ticket.
Derek Curtis (September 5, 2013 at 1:35 PM)
The TLS description contains a typo. TSL instead of TLS.
Thomas Stensitzki (January 5, 2014 at 7:08 AM)
Thanks. Got it fixed.
Derek Curtis (January 7, 2014 at 1:56 PM)
Any ideas when SM will support TLS 1.2? Currently it seems to do 1.0
Rubal Jain (June 20, 2014 at 5:13 PM)
Hi Rubal,

As a software developer, we have to support as many platforms as possible. A number of customers are still on legacy platforms that don't allow an upgrade to .NET 4.5 so we have to allow for those customers and only offer TLS 1.0. However, we will eventually move to .NET 4.5 only to take advantage of the many improvements available to us as well as to our customers. Once that transition is planned we will be sure to let everyone know.

Andrea Rogers (June 23, 2014 at 9:55 AM)
I think one note missing is that the Certs private key has to be in the Personal folder or when testing the Cert it will not work.
J Lee (August 13, 2014 at 12:24 PM)
Thanks J, I've modified the note within the KB article to reflect this.
Von-Austin See (November 24, 2014 at 8:15 AM)
Hi - this has always confused me - The certificate - what domain does it need to be in? Or can you get a certificate for the IP Address??
Gary Hanley (November 24, 2014 at 1:35 AM)
Gary,

The certificate is applied to the server itself within the Certificate Store for the local computer account. There is no specific domain that the certificate needs to reside under.

You can register this certificate for any valid FQDN. So for example, we have many customers who utilize a secure.domain.com DNS record and purchase a standard SSL certificate for secure.domain.com. They then tie this certificate within SmarterMail and for their clients that need SSL\TLS access they would then point them to secure.domain.com for SMTP\POP\IMAP over SSL\TLS.

Once the certificate has been installed onto your server after obtaining a copy from your SSL certificate provider you will want to follow the instructions for exporting the certificate into a base-64 formatted .cer file.

This CER file is then tied to your SmarterMail SSL ports that you configure under Settings -> Bindings -> Ports

You can then tie these SSL ports to specific IP addresses under Settings -> Bindings -> IP Addresses.

I hope this helps.

Von-Austin See (November 24, 2014 at 8:12 AM)
Do you need to buy or pay for the certificate? There is some mixed info on this. Please read this: https://luxsci.com/blog/do-i-need-to-buy-an-ssl-certificate-to-use-secure-email.html
Michael Barber (February 11, 2015 at 10:55 AM)
I followed these instructions, but still got stuck when trying to connect via TLS IMAP
It's not made clear you have to have both a TLS port 143 and a standard port 143 bound to the IP address and then select the TLS one
I followed these instructions to solve my problem
https://portal.smartertools.com/community/a2092/thunderbird-fails-using-ssl-tls.aspx

Knud Nexo (May 20, 2015 at 5:52 PM)
Using the instructions in this post, I got TLS and SSL working on a Windows 2003 box under IIS over a year ago. My current ports are viewable at https://charlesworks.com/SmarterMail-Port-Bindings.jpg as they are set up now. If this setup needs alteration please advise.

I moved SmarterMail 13.5 from a Windows 2003 box to a Windows 2011 Essentials box.

Two issues:

1. When the Windows 2011 Essentials box is rebooted, the https://mega.charlesworks.com (running under IIS) serves up a 404 error. I must manually go in to the SmarterMail site management Bindings and select the HTTPS, pretend to edit it, and close so it will work again.

2. SmarterMail is not available over the SSL or TLS ports and is throwing errors to everyone whose clients were set up to use those.

I presume I did not set up something correctly and any ideas would be greatly appreciated.

Thanks!

CharlesWorks (August 9, 2015 at 7:15 AM)
Hi Charles! Please consider submitting a ticket to our support team to further troubleshoot these issues. Thank you!
Andrea Rogers (August 11, 2015 at 4:10 PM)
So if we have a mail server hostname of mail.myserver.com do we need to buy an SSL certificate for mail.myserver.com?

We already have a SSL certificate like secure.myserver.com which doesn't match our mail server address that we use for a web site.

So far no luck using these directions. We're testing using IMAP and have verified the 993 port is open on the firewall, and followed the directions above.

We'd like to use our existing certificate we have that starts with secure.

ActorMike (August 25, 2015 at 1:56 PM)
Mike,

You should still be able to utilize the secure.myserver.com SSL certificate to secure your ports. However, many clients will report validation errors. Some mail servers will outright refuse to deliver mail securely to your server if your mail servers hostname does not equal that of the SSL certificate, although this is pretty rare.

I personally would recommend purchasing a new standard SSL certificate to use specifically for the hostname of your mail server for example, mail.mydomain.com. This will ensure when your customers\clients hit the server, they will be allowed in without a security warning prompting you to accept a mismatching certificate.

If you'd like to secure multiple hostnames such as pop.mydomain.com smtp.mydomain.com etc, you can do so with a Wildcard Certificate.

If you'd like to secure multiple hosts across many domain such as mail.domainA.com, mail.domainB.com etc a UCC (Unified Communications Certificate) is recommended.

In regards to having no luck with these directions, these will work in 99% of environments but edge cases do happen and we will be glad to look into this further for you, you would just need to open a support ticket with us and we can assist you in identifying where this process is failing.

SmarterMail 14 does support PFX certificates. So instead of exporting the cert as a base 64 without the private key per these instructions, you may want to try to export this as a PFX containing the private key, and password protecting it. Then point your SmarterMail ports to the PFX file and enter in the password information and test by verifying the certificate.

You can then test SSL\TLS communications with these ports by utilizing an e-mail client, or OpenSSL. A decent writeup on connecting via SSL\TLS for various mail ports can be found here: https://www.thatsgeeky.com/2011/01/using-telnet-with-an-smtp-server/

I hope this helps.

Von-Austin See (August 25, 2015 at 4:29 PM)
Hello Von-Austin See,
thank you very much! I am Facing the same issue - it won't work with an SHA256 issued Zertifikate when i go through the steps described from Smartertools here!
When i export my zertifikat with the primary key inkluded (and passord protected) i can use it for the bindings and let them work ^^

Where do you got the information that SM14 now supports PFX Files also? I cannot find any hint in the release notes :(

WebControl GmbH (August 27, 2015 at 3:42 AM)
Is it possible to use two different certificates at the same time?
mail.server.com is used for shared ssl for all domains, but what if one domain (mail.example.com) wants to use their own certificate instead of mail.server.com ?

Erick Monroy (February 13, 2017 at 11:50 PM)
Hi Erick! You can definitely achieve that type of setup within SmarterMail. This thread from our user Community provides some good instruction on that configuration. Please check it out and let me know if you have any other questions!

"How do I add SSL to multiple domains in Smartermail?" - http://portal.smartertools.com/community/a393/how-do-i-add-ssl-to-multiple-domains-in-smartermail.aspx

Andrea Rogers (February 14, 2017 at 11:58 AM)
I´m using Windows Server 2016 and followed the steps to export my SSL certificate till Step 7:
http://prntscr.com/fbv7sp

But I stuck on Step 8, because I can´t find certificates under "Own certificates":
http://prntscr.com/fbv88h

How should I proceed forward?

Sascha Samsonow (May 25, 2017 at 1:41 AM)
What version of Windows Server are you running?
Derek Curtis (May 30, 2017 at 3:59 PM)
Hi, I am also stuck export the SSL certs at step 7 where in Personal is empty.
I am running Windows Server 2012 R2 STD version.
Seek your help

Lee CK (September 24, 2017 at 11:14 AM)
Lee, could you please clarify. Are you not seeing any certificates within the personal folder ? If so, please review the other folders in the certificate store to see if you can locate the proper cert. Once located, you can then proceed to export per the instructions above.
Von-Austin See (September 29, 2017 at 9:30 AM)
Hey there, I exactly followed the steps above to get the certificate. As I would to install it in SM Enterprise 14.x, the System gives the message, that the path from the certificate file wasn't found. I attemped to use various filepaths, but the System continues to believe that there is no file.

What do I wrong?

Thanks for your help
Marcus

Win Server 2008 R2 Datacenter

Marcus Wollong (October 22, 2017 at 9:14 AM)
Hi Marcus! Please ensure the account responsible for running the SmarterMail application pool within IIS has full control over the directory the certificate was placed in. Typically that would be 'Network Service', if you followed the steps above or used the install tool.
Andrea Rogers (October 24, 2017 at 1:34 PM)
I keep getting an invalid certificate error in SM 16
Brian Davidson (November 2, 2017 at 8:53 AM)
Sorry to hear that, Brian. What's the FQDN of your mail server?
Andrea Rogers (November 2, 2017 at 3:53 PM)
mail.syzzle.com I have a previously created certificate ending in .cer that is working but trying the directions here results in errors.

I was able to get the pfx certificate to save, but once it's applied incoming mail stops from most ISPs indicating an issue with the certificate (?).

Brian Davidson (November 5, 2017 at 3:17 PM)
I am also having no luck with certificates in SM 16. I had no problem following the above instructions exactly, with no errors. However, once the certificate is applied as instructed, no mail can be retrieved using any secure method (POP3/IMAP - SSL/TLS).The same certificate works perfectly in securing a website. I also tried using a mail specific certificate, as suggested, and it made no difference.

mail.marvelous.com

Neil Colvin (December 6, 2017 at 10:32 AM)
Neil,

You'll want to ensure the PFX file you exported does contain a valid private key. You can also install the OpenSSL binaries on a Windows machine and test the secure connections directly by leveraging the following commands:

If you wish to connect to a server using SSL, you can use openssl with the following command (note the default port is 465, not 25):

openssl s_client -crlf -connect remoteserver.com:465

To connect to your server using TLS, use the following:

SMTP: openssl s_client -starttls smtp -crlf -connect remoteserver.com:25
POP3: openssl s_client -starttls pop3 -crlf -connect remoteserver.com:110
IMAP: openssl s_client -starttls imap -crlf -connect remoteserver.com:143

If the handshake is failing, there's likely an issue with the certificates private key. If you were to open a ticket with our support department we should be able to get you up and running fairly quickly.

I hope this helps.

Von-Austin See (December 18, 2017 at 10:54 AM)
OK, I renewed my SSL certificate today and had some hard time making it work.

I exported as a .pfx like the doc said, but when I tried to change the path to the new pfx certificate in my bindings in SmarterMail, I always got "Invalid certificate".
I then exported it as a x509 base64 .cer file (like before) and it started working fine.

So what I understand is this :
If you already have bindings from previous SmarterMail version, you should keep using .cer X509 base64 certificate.
If you want to use .pfx certificate, you need to create new bindings, where there will be the "password" field missing in the old bindings (I didn't try but I guess this is why I had invalid certificate error, because I couldn't enter the password as there was no password field).

Is there any reason I should remove my old bindings and create new one to use .pfx certificate ?

ellisfr (March 11 at 4:07 PM)

Add Feedback