Deploying SSL Certificates On a New SmarterMail Server

This KB article covers using SmarterMail's SSL Certificates page on a brand new, fresh installation of SmarterMail that doesn't have any existing SSL certificates. If you have an existing SSL deployment the following article may be of interest to you: 
Deploying an SSL certificate for your SmarterMail server and any associated customer domains is now easier than ever with the latest versions of SmarterMail as we now include built-in integration with Let's Encrypt, providing automatic certificate generation, renewal, and deployment. Before SmarterMail will attempt to generate certificates for those domain names, you'll need to ensure a few requirements have been met: 
  • Hostname must be pointed at the SmarterMail server using an A record in DNS. 
  • HTTP binding must be present in IIS and configured to land on the SmarterMail web interface. 
  • Nothing intercepting HTTP requests on that hostname such as an existing Certify the Web/Let's Encrypt installation or proxy.
  • Hostname is configured in domain's hostname settings. 
  • Hostname is not a .local or other non-routable domain name.
Once those are in good shape; follow the steps below to get started deploying SSL certificates on a new SmarterMail installation:

1. Install the latest build of SmarterMail which will deploy IIS and required components including the Centralized Certificate Store feature. Please note that the installer will take a few extra minutes to start up in the absence of IIS and other required features due to them being installed on startup of the installer. 
2. Edit the directory permissions of the C:\SmarterMail\Certificates directory to allow full control of a user of your choosing. 
3. Configure the Centralized Certificate Store feature in the IIS Manager to reference the C:\SmarterMail\Certificates directory and access it using the same user you added to the directory permissions above. 

4. Log in to SmarterMail and configure the primary server hostname in Settings>General, this should be your fallback hostname/certificate. 
5. Add HTTP bindings for the primary server hostname and any domain names if not added already, and verify it is accessible in HTTP. (Will not redirect to HTTPS yet.)
6. Navigate to Settings>SSL Certificates>Automatic Certificates in SmarterMail and verify a certificate has been generated for the primary system hostname. This may take a few hours to complete, as SmarterMail limits how often certificate requests are issued to avoid throttling by the Certify Certificate servers. When complete; you will find a matching PFX file in the Centralized Certificate Store directory associated with the completed certificate request. 

7. Navigate to Settings>Bindings>Ports in SmarterMail and add SSL/TLS backed ports for IMAP, POP, SMTP, etc. using the primary server's hostname PFX file as the certificate. This will serve as a fallback certificate if other domain names/PFX files are not detected for the requested hostname. As an example; if a user on the example.com domain attempts to connect on an SSL-backed port, but an SSL certificate for example.com is not present, this certificate will be used to secure the connection instead.
8. SmarterMail will attempt to add HTTPS bindings that match hostnames for which SSL certificates are generated. If for any reason this fails to occur, you can set up HTTPS bindings for thesehostnames using the Centralized Certificate Store/SNI settings.
9. If any domains initially fail HTTP validation, correct the missing binding or other items, then use the menus in Settings>SSL Certificates>Automatic Certificates to queue a rescan on those hostnames. 
10. Finally, add any standalone certificates (PFX format) to the installation using the Upload button in Settings>SSL Certificates>Certificates area or by placing a copy into the C:\SmarterMail\Certificates directory.