Manually Securing SmarterMail Using Let's Encrypt and Certify the Web

This article covers manually implementing Let's Encrypt using Certify the Web and NOT using the automated SSL process available in SmarterMail. These other articles may be of help as well:


Here’s a brief on to implement Let’s Encrypt for a SmarterMail installation, from the certificate's enrollment to its automatic renewal:

1. Using Certify with Let's Encrypt for Enhanced Security

  • An effective method to procure Let’s Encrypt certificates is through the Certify client. This tool helps in enrolling the certificate and in its auto-renewal. Please note that Certify is compatible only with SmarterMail 15.x and above.

2. Steps to Configure the Certify Client:

  1. Launch Certify.
  2. Click on "New Certificate" (top-left corner).
  3. The "New Managed Certificate" section will appear.
  4. Choose your "SmarterMail" IIS site.
  5. Rename if needed.
  6. Check the "Enable Auto Renewal" box.
  7. Choose the Primary Domain.
  8. Pick the desired Alternative Subject/Domain names. If you don't see your hostnames, add an IIS binding for it.
  9. Hit "Save". Certify will begin domain verification. Once done, the site gets updated with the new SSL bindings within IIS.

Refer to the attached screenshot for a visual guide.

Screenshot

3. Automating the Certificate Export for Securing SmarterMail Ports

  • For securing the POP, IMAP, SMTP, and XMPP ports, SmarterMail necessitates a PFX or CER file reference. With this method, the Let’s Encrypt Certificate will be auto-exported for SmarterMail.

Steps for Deployment Task Setup:

  1. Open the certificate and click on tasks in the right menu.

    Screenshot

  2. Click "Add".

  3. Choose "Export Certificate" as the Task Type.

  4. Name the certificate and set up the task parameters. This will ensure it exports to a specific location.

    Screenshot

  5. If you've already requested your certificate, run the task to export it. If you haven't requested yet, click "request certificate", and it will automatically deploy to your chosen location.

Note: If you've successfully followed the instructions above, you can ignore the subsequent steps related to the PowerShell export script. These are only provided as alternatives should you encounter issues with the main procedure.

Automating the Certificate Export from the Microsoft Certificate Store for SmarterMail

For secure SSL/TLS communications, SmarterMail requires a PFX or CER file to reference for port configurations, such as POP, IMAP, SMTP, and XMPP. When using Let’s Encrypt, the certificate must be pulled from the certificate store every 90 days as the certificate approaches its expiration.

PowerShell Script for Exporting the Certificate

Below is a PowerShell script that can be used to export the required certificate. This script creates a password-protected PFX file suitable for SmarterMail port configurations:
            

Get-ChildItem -Path 'Cert:\localmachine\My' | Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -like "*mail.domain.com*"} | Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p', 'DesiredPassword',$_.Thumbprint, "c:\PathToCertificate\mail.domain.com.pfx")}

Please note: There are three elements in the script (italicized and bolded above) that you'll need to customize for your environment:

  1. mail.domain.com: The domain for which you are securing the communications.
  2. DesiredPassword: The password you wish to set for the PFX file.
  3. c:\PathToCertificate\mail.domain.com.pfx: The desired path and filename for the exported PFX file.

After adjusting these variables, save the script. For our example, we've saved it as C:\SmarterMail\Scripts\ExportCert.PS1.

Creating a Batch Script to Execute the PowerShell Script

To automate the execution, create a batch script with the following content:
            

Powershell.exe -executionpolicy remotesigned -File c:\SmarterMail\Scripts\ExportCert.ps1

Save this batch file as ExportCert.bat in C:\SmarterMail\Scripts.

Setting Up a Scheduled Task

To ensure the certificate is regularly exported:

  1. Create a Windows Scheduled Task to run the ExportCert.bat script daily.
  2. When setting up the task, make sure you choose the option to run the task regardless of whether a user is logged in or not.
  3. Ensure the task runs with the highest privileges to guarantee the private key is exported correctly from the certificate store.

After you've run this setup for the first time, you'll need to configure the SmarterMail ports to utilize the freshly exported certificate for SSL/TLS communications. For guidance on this, refer to our KB article on configuring SSL/TLS.

Feedback

this can be done all in powershell as well (and is a little easier to tshoot)

if you are using ACME, certificates are stored in localmachine\WebHosting instead of localmachine\My, also don't forget to mark the cert as exportable in the settings.json file

Put the below in ExportCert.ps1

[code]
$certpass = ConvertTo-SecureString "MyDesiredPassword" -AsPlainText -Force
Get-ChildItem -Path 'Cert:\localmachine\WebHosting' | Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -like "*mail.domain.com*"} | Export-PfxCertificate -FilePath c:\path\mail.domain.com.pfx -Password $certpass
[/code]

then follow the rest of the instructions

Joe Vivona (7/9/2020 at 9:57 AM)
I've done this but how do we check if there is success?
Steve Guluk (10/22/2020 at 5:16 PM)
Go here to check. https://www.checktls.com/TestReceiver All should say OK
Timothy Barton (11/17/2020 at 9:58 PM)
Basically, I am generating the .pfx file based on the lastest install cert for SmarterMail in IIS. I believe there is still one more step to bind the .pfx into SmarterMail?
Steve Guluk (10/23/2020 at 11:40 AM)
We use a wildcard letsencrypt cert, so we have certify the web installed and it installs and updates the web on server1. we then have a powershell script that lets encrypt can execute once it has renewed the cert on the first machine, we then call the powershell script which copies the file to our other servers and remotely installs the cert on the other servers. nice and clean
Keith Dovale (12/10/2020 at 10:12 AM)
Don't know if this wasn't an option before but Certify can handle exporting the cert to a password protected PFX file. You need to set a password under Stored Credentials. Then set this password in the certificate settings under Advanced >> Security. Finally create an Export Certificate task to have Certify create a PFX. I just set this up and it works flawlessly with no need for a PS script or scheduled task.
JerseyConnect Team (10/22/2021 at 8:00 AM)
Thanks for the feedback. The article has been updated as this is now the preferred way to do it.
Zach Sylvester (3/23/2023 at 11:46 AM)