This reference covers SSL/TLS deployment, troubleshooting, and certificate management for SmarterMail on Linux.
Automatic SSL Certificates on a New SmarterMail Server
Prerequisites
Public DNS: mail.yourdomain.com (or your chosen host‑name) must resolve to the server’s public IP.
Ports Open: 80 (HTTP) & 443 (HTTPS) reachable from the Internet.
Privileges: sudo access on the server.
Install SmarterMail
wget https://downloads.smartertools.com/smartermail/100.0.9245/smartermail_9245
chmod +x smartermail_9245
sudo ./smartermail_9245 install
Choose the built‑in web server unless your ISP blocks 443.
Initial Configuration
Log in as System Administrator.
Navigate to
Settings > General and set the
Primary Host Name (e.g.
mail.yourdomain.com).
Go to Settings > SSL Certificates > Options.
Enable Automatic Certificates.
Correct DNS records > Certificates appear in
Automatic Certificates then in
Certificates with status
Active.
Bind the certs:
Settings > Bindings > Ports edit each service (SMTP, IMAP, POP, HTTPS).
For Certificate Path use, for example:
/var/lib/smartermail/Certificates/mail.yourdomain.com.pfx
Clear the password field if the file is unprotected.
Note: You should be able to see the certificates in the Certificates directory once you generate the automatic certificates. Here is an example of what they look like:
Additional Note:
To ensure proper SSL coverage for all relevant services (e.g., mail, autodiscover, etc.), it's essential to add hostnames corresponding to the services you want to be secured by automatic SSL certificates. These hostnames should match those used in your DNS records (e.g., autodiscover.yourdomain.com), so that the automatic SSL certificate generation covers all necessary services.
By properly adding these hostnames, you ensure that all traffic—whether for mail services or webmail—gets secured with the appropriate SSL certificates automatically generated by SmarterMail.
At this point SmarterMail is serving mail and webmail over TLS.
Troubleshooting Automatic SSL Certificates
Webserver not detected (yet) or Could not bind generated cert...
These messages may indicate that SmarterMail is having trouble binding the generated certificate. Ensure that the SmarterMail service has the necessary permissions and that no other services are interfering with the binding process.
ACME: AcmeRequestException or Domain validation failed
These errors suggest that the ACME challenge failed. To resolve:
- Ensure that the hostname points to your server with a valid public A record.
- Port 80 must be open and reachable externally. Use tools like curl or external HTTP checkers to confirm access.
- Temporarily stop any services (e.g., Nginx, Apache, Certbot) that might be using port 80 during the validation process.
Certificate is in .pem format not .pfx
In Linux we are able to run this command in order to convert your .pem file to a .pfx file:
Convert PEM → PFX
openssl pkcs12 -export -out mail.example.com.pfx \
-inkey privkey.pem -in cert.pem -certfile chain.pem
mail.example.com.pfx – desired output name.
privkey.pem – private key.
cert.pem – server certificate.
chain.pem – CA chain / intermediates.
Upload the resulting *.pfx via Settings > SSL Certificates > Certificates > Upload.
Integrating Existing SSL Certificates with Automatic Certificates
Convert to PFX if needed (see Convert PEM → PFX in the Troubleshooting section).
Upload the PFX (Settings > SSL Certificates > Certificates > Upload) and enter its password when prompted.
Ownership & Permissions (usually handled by upload):
sudo chown smartermail:smartermail /var/lib/smartermail/Certificates/mail.example.com.pfx
sudo chmod 640 /var/lib/smartermail/Certificates/mail.example.com.pfx
4. Disable the auto-generated certificate for covered domains - SmarterMail will attempt to auto-generate SSL certificates for all domains it detects. After uploading your PFX file and verifying it appears under Settings > SSL Certificates, go to the Automatic Certificates tab. Locate the domain and disable the automatically generated certificate. SmarterMail will then use your manually provided certificate instead.
Linux-Specific Notes for SNI in Smartermail
SmarterMail supports Server Name Indication (SNI), allowing a single IP to present the correct certificate for each host name.
Certificate format – SmarterMail only accepts .pfx files. If you have a PEM bundle, convert it using the Convert PEM → PFX command in the Troubleshooting section
Storage path – Place PFX files in: /var/lib/smartermail/Certificates/
Permissions – Give SmarterMail read access:
sudo chown smartermail:smartermail /var/lib/smartermail/Certificates/*.pfx
sudo chmod 640 /var/lib/smartermail/Certificates/*.pfx
Password handling – In the UI, the password field must exactly match the PFX password. Leave the field blank if the file is unprotected; a mismatch prevents the cert from loading.
Logs – Certificate/SNI events appear in Troubleshooting ▸ Logs ▸ Certificates or on‑disk at /var/lib/smartermail/Logs. Set the Certificates log level to Detailed to capture binding messages.
Once the PFX files are in place with correct permissions, SmarterMail automatically selects the right certificate based on the host name supplied during TLS negotiation.
Configure SSL/TLS to Secure SmarterMail (Recap)
- Enable Automatic Certificates (Settings ▸ SSL Certificates ▸ Options).
- Bind the active certs to the required ports (SMTP 25/465/587, IMAP 143/993, POP 110/995, HTTPS 443).
- Firewall (UFW) Rules
sudo ufw allow 25/tcp # SMTP
sudo ufw allow 80/tcp # ACME HTTP‑01
sudo ufw allow 443/tcp # HTTPS / Webmail
Verify:
sudo ufw status
curl -I http://mail.yourdomain.com # should return HTTP 200/301
Manual Certs: Always upload via the UI, avoid dropping the cert directly in the path.
Quick Reference Commands
Convert .PEM > .PFX:
openssl pkcs12 -export -out mail.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
Fix Permissions:
sudo chown smartermail:smartermail /var/lib/smartermail/Certificates/*.pfx && sudo chmod 640 /var/lib/smartermail/Certificates/*.pfx
Check Ports:
ss -tulpn | grep -E ':80|:443'