Securing SmarterMail With Let's Encrypt

SSL is an integral part of today’s web experience. Sites like Google penalize sites -- ANY sites -- that do NOT use SSL, so having a solid SSL implementation for any of your domains means your users will have safe and secure browsing experience. In addition, it eliminates that pesky “Safe Browsing” warning that Google displays for sites that don’t utilize SSL and that tend to scare users.

Let’s Encrypt is a free, open and automated Certifying Authority. Unlike places such as GeoTrust or Trustwave, the SSL certificates issued by Let’s Encrypt have zero cost. However, their certificates are just as secure and reliable as paid certs. The difference is that Let’s Encrypt is like any open source product: while free, it may lack some of the nuance of paid services. That’s to say that using a Let’s Encrypt cert is slightly more work than using something from GeoTrust. For example, you have to “enroll” the certificate in the server’s Certificate Store plus you have to handle automated renewals of the Let’s Encrypt certificate. Even with the limitations, the effort required for using Let’s Encrypt is well worth it. Below we’ll run through how we’ve implemented Let’s Encrypt for our installation of SmarterMail and how we’re handling both the enrollment of the cert AND the automated renewal.

Using Certify and Let's Encrypt to secure SmarterMail's web interface and protocol ports
One solution for requesting Let’s Encrypt certificates is to use the Certify client to handle the enrollment of the certificate as well as the automatic renewal. (Please note that the Certify client is only compatible with the most recent releases of SmarterMail 15.x and above.)

Configuring the Certify Client
Once certify has been installed on the server the instructions below will walk you through configuring the certificate automatically based on the IIS settings.

1. Launch Certify.
2. Select New Certificate in the upper left hand corner.
3. The ‘New Managed Certificate’ section will then load.
4. Select your ‘SmarterMail’ IIS site.
5. Customize the Name if desired.
6. Ensure the checkbox for ‘Enable Auto Renewal’ is enabled.
7. Select the Primary Domain name for the desired domain.
8. Select the desired Alternative Subject\Domain names to secure your secondary domains. Please note if you are not seeing the desired hostnames in this list, you will need to add an IIS binding for this hostname so that Certify can detect it.
9. Click Save - At this point Certify should kick off the domain verification process. Once complete the site will be updated with the new SSL bindings and certificates within IIS.

Automating the certificate export from the Microsoft Certificate Store to secure SmarterMail’s ports
SmarterMail requires a PFX or CER file to reference for the port configuration in order to secure the POP\IMAP\SMTP\XMPP ports for SSL\TLS communications. The Let’s Encrypt certificate will need to be pulled from the certificate store every 90 days when the certificate reaches it’s expiration period.

Below is a PowerShell script that can be leveraged to export the desired certificate using into a password protected PFX file that can be referenced by the SmarterMail port configuration:
Get-ChildItem -Path 'Cert:\localmachine\My' | Where-Object { $_.hasPrivateKey } | Where-Object {$_.Subject -like "**"} | Foreach-Object {&certutil.exe @('-exportpfx', '-f', 'DesiredPassword',$_.Thumbprint, "c:\PathToCertificate\")}

The script above contains three bold and italicized entries that will need to be adjusted to match your environment. You’ll want to save this script after changing the variables, in our example, this was saved to C:\SmarterMail\Scripts\ExportCert.PS1.

Once this has been created you will then want to create a batch script to call on PowerShell to execute the ExportCert.PS1 script created above, the script you will want to leverage is below:
Powershell.exe -executionpolicy remotesigned -File c:\SmarterMail\Scripts\ExportCert.ps1

Save this as ExportCert.bat under C:\SmarterMail\Scripts.

Next create a Windows Scheduled Task that runs daily to execute the ExportCert.bat script. During the task creation ensure the option is set to run whether the user is logged on or not, and is also set to run with highest privileges to ensure the private key can be exported from the certificate store as expected.

Once this has been configured and run for the first time, you would need to configure the SmarterMail ports to use the newly exported certificate for SSL\TLS communications. Our KB article on configuring SSL\TLS contains the steps for configuring this under the ‘Follow these steps to add a port to listen over SSL or TLS’ section.