Securing SmarterMail With Let's Encrypt

SSL is an integral part of today’s web experience. Sites like Google penalize sites -- ANY sites -- that do NOT use SSL, so having a solid SSL implementation for any of your domains means your users will have safe and secure browsing experience. In addition, it eliminates that pesky “Safe Browsing” warning that Google displays for sites that don’t utilize SSL and that tend to scare users.

Let’s Encrypt is a free, open and automated Certifying Authority. Unlike places such as GeoTrust or Trustwave, the SSL certificates issued by Let’s Encrypt have zero cost. However, their certificates are just as secure and reliable as paid certs. The difference is that Let’s Encrypt is like any open source product: while free, it may lack some of the nuance of paid services. That’s to say that using a Let’s Encrypt cert is slightly more work than using something from GeoTrust. For example, you have to “enroll” the certificate in the server’s Certificate Store plus you have to handle automated renewals of the Let’s Encrypt certificate. Even with the limitations, the effort required for using Let’s Encrypt is well worth it. Below we’ll run through how we’ve implemented Let’s Encrypt for our installation of SmarterMail and how we’re handling both the enrollment of the cert AND the automated renewal.

Using Certify and Let's Encrypt to secure SmarterMail's web interface and protocol ports
One solution for requesting Let’s Encrypt certificates is to use the Certify client to handle the enrollment of the certificate as well as the automatic renewal. (Please note that the Certify client is only compatible with the most recent releases of SmarterMail 15.x and above.)

Configuring the Certify Client
Once certify has been installed on the server the instructions below will walk you through configuring the certificate automatically based on the IIS settings.

1. Launch Certify.
2. Select New Certificate in the upper left hand corner.
3. The ‘New Managed Certificate’ section will then load.
4. Select your ‘SmarterMail’ IIS site.
5. Customize the Name if desired.
6. Ensure the checkbox for ‘Enable Auto Renewal’ is enabled.
7. Select the Primary Domain name for the desired domain.
8. Select the desired Alternative Subject\Domain names to secure your secondary domains. Please note if you are not seeing the desired hostnames in this list, you will need to add an IIS binding for this hostname so that Certify can detect it.
9. Click Save - At this point Certify should kick off the domain verification process. Once complete the site will be updated with the new SSL bindings and certificates within IIS.

Automating the certificate export from the Microsoft Certificate Store to secure SmarterMail’s ports
SmarterMail requires a PFX or CER file to reference for the port configuration in order to secure the POP\IMAP\SMTP\XMPP ports for SSL\TLS communications. The Let’s Encrypt certificate will need to be pulled from the certificate store every 90 days when the certificate reaches it’s expiration period.

Below is a PowerShell script that can be leveraged to export the desired certificate using into a password protected PFX file that can be referenced by the SmarterMail port configuration:
Get-ChildItem -Path 'Cert:\localmachine\My' | Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -like "**"} | Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', 'DesiredPassword',$_.Thumbprint, "c:\PathToCertificate\")}

The script above contains three bold and italicized entries that will need to be adjusted to match your environment. You’ll want to save this script after changing the variables, in our example, this was saved to C:\SmarterMail\Scripts\ExportCert.PS1.

Once this has been created you will then want to create a batch script to call on PowerShell to execute the ExportCert.PS1 script created above, the script you will want to leverage is below:
Powershell.exe -executionpolicy remotesigned -File c:\SmarterMail\Scripts\ExportCert.ps1

Save this as ExportCert.bat under C:\SmarterMail\Scripts.

Next create a Windows Scheduled Task that runs daily to execute the ExportCert.bat script. During the task creation ensure the option is set to run whether the user is logged on or not, and is also set to run with highest privileges to ensure the private key can be exported from the certificate store as expected.

Once this has been configured and run for the first time, you would need to configure the SmarterMail ports to use the newly exported certificate for SSL\TLS communications. Our KB article on configuring SSL\TLS contains the steps for configuring this under the ‘Follow these steps to add a port to listen over SSL or TLS’ section.


this can be done all in powershell as well (and is a little easier to tshoot)

if you are using ACME, certificates are stored in localmachine\WebHosting instead of localmachine\My, also don't forget to mark the cert as exportable in the settings.json file

Put the below in ExportCert.ps1

$certpass = ConvertTo-SecureString "MyDesiredPassword" -AsPlainText -Force
Get-ChildItem -Path 'Cert:\localmachine\WebHosting' | Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -like "**"} | Export-PfxCertificate -FilePath c:\path\ -Password $certpass

then follow the rest of the instructions

Joe Vivona (7/9/2020 at 9:57 AM)
I've done this but how do we check if there is success?
Steve Guluk (10/22/2020 at 5:16 PM)
Go here to check. All should say OK
Timothy Barton (11/17/2020 at 9:58 PM)
Basically, I am generating the .pfx file based on the lastest install cert for SmarterMail in IIS. I believe there is still one more step to bind the .pfx into SmarterMail?
Steve Guluk (10/23/2020 at 11:40 AM)
We use a wildcard letsencrypt cert, so we have certify the web installed and it installs and updates the web on server1. we then have a powershell script that lets encrypt can execute once it has renewed the cert on the first machine, we then call the powershell script which copies the file to our other servers and remotely installs the cert on the other servers. nice and clean
Keith Dovale (12/10/2020 at 10:12 AM)
Don't know if this wasn't an option before but Certify can handle exporting the cert to a password protected PFX file. You need to set a password under Stored Credentials. Then set this password in the certificate settings under Advanced >> Security. Finally create an Export Certificate task to have Certify create a PFX. I just set this up and it works flawlessly with no need for a PS script or scheduled task.
JerseyConnect Team (10/22/2021 at 8:00 AM)