Automatic SSL Certificates on a New SmarterMail Server

This KB article covers using SmarterMail's SSL Certificates page for automatically generating SSL certificates on a brand new, fresh installation of SmarterMail. If you have an existing SmarterMail server, with existing (non-automated) SSL certificates, the following article may be of interest to you: 
Deploying an SSL certificate for your SmarterMail server and any associated customer domains is now easier than ever with the latest versions of SmarterMail as we now include built-in integration with Let's Encrypt, providing automatic certificate generation, renewal, and deployment. Before SmarterMail will attempt to generate certificates for those domain names, you'll need to ensure a few requirements have been met: 
  • Hostname must be pointed at the SmarterMail server using an A record in DNS. 
  • HTTP binding must be present in IIS and configured to land on the SmarterMail web interface. 
  • Nothing intercepting HTTP requests on that hostname such as an existing Certify the Web/Let's Encrypt installation or proxy.
  • Hostname is configured in domain's hostname settings. 
  • Hostname is not a .local or other non-routable domain name.
Once those are in good shape; follow the steps below to get started deploying SSL certificates on a new SmarterMail installation:

1. Install the latest build of SmarterMail which will deploy IIS and required components including the Centralized Certificate Store feature. Please note that the installer will take a few extra minutes to start up in the absence of IIS and other required features due to them being installed on startup of the installer. 
2. Edit the directory permissions of the C:\SmarterMail\Certificates directory to allow full control of a user of your choosing. 
3. Configure the Centralized Certificate Store feature in the IIS Manager to reference the C:\SmarterMail\Certificates directory and access it using the same user you added to the directory permissions above. 

4. Log in to SmarterMail and configure the primary server hostname in Settings>General, this should be your fallback hostname/certificate. 
5. Add HTTP bindings for the primary server hostname and any domain names if not added already, and verify it is accessible in HTTP. (Will not redirect to HTTPS yet.)
6. Navigate to Settings>SSL Certificates>Automatic Certificates in SmarterMail and verify a certificate has been generated for the primary system hostname. This may take a few hours to complete, as SmarterMail limits how often certificate requests are issued to avoid throttling by the Certify Certificate servers. When complete; you will find a matching PFX file in the Centralized Certificate Store directory associated with the completed certificate request. 

7. Navigate to Settings>Bindings>Ports in SmarterMail and add SSL/TLS backed ports for IMAP, POP, SMTP, etc. using the primary server's hostname PFX file as the certificate. This will serve as a fallback certificate if other domain names/PFX files are not detected for the requested hostname. As an example; if a user on the example.com domain attempts to connect on an SSL-backed port, but an SSL certificate for example.com is not present, this certificate will be used to secure the connection instead.
8. SmarterMail will attempt to add HTTPS bindings that match hostnames for which SSL certificates are generated. If for any reason this fails to occur, you can set up HTTPS bindings for thesehostnames using the Centralized Certificate Store/SNI settings.
9. If any domains initially fail HTTP validation, correct the missing binding or other items, then use the menus in Settings>SSL Certificates>Automatic Certificates to queue a rescan on those hostnames. 
10. Finally, add any standalone certificates (PFX format) to the installation using the Upload button in Settings>SSL Certificates>Certificates area or by placing a copy into the C:\SmarterMail\Certificates directory. 

Feedback

Just noting that the free win-acme tool for lets encrypt can also save a PFX file to the path you specify each time it renews. You can then point protocols like POP and SMTP to this PFX file and then all of the server's SSL stuff (both web and email protocols) is renewed automatically and for free.
josh levine (4/30/2024 at 12:09 PM)