Community Knowledge Base

SSL Certificates

SmarterMail gives system administrators the ability to manage the SSL certs assigned to various domains that are being hosted by SmarterMail by navigating to Settings -> SSL Certificates.

Certificates can be acquired from any qualified Certifying Authority (e.g., Digicert) then manually added to a SmarterMail domain. In cases like this, where administrators acquire SSL certs outside of SmarterMail, those certificates are displayed on the Certificates tab.

Certificates can also be automatically generated by SmarterMail using the included Certifying Authority(-ies), such as Let's Encrypt. This is, by far, the simplest way to manage SSL for SmarterMail domains as it's all contained within SmarterMail. Automated certificates can be found on the Automatic Certificates tab.

NOTE: In order to use SmarterMail's automatic certificates, a few things need to be understood:

  • Hostnames MUST be pointed at the SmarterMail server using an A record in DNS.
  • Hostnames must be routable, top level domains. (I.e., not local domains, etc.)
  • HTTP binding MUST be present in IIS and configured to land on the SmarterMail web interface.
  • Nothing can intercept HTTP requests on any hostname. This includes having something like Ceritfy the Web/Let's Encrypt installation or proxy. If these are installed or proxied, they must be removed prior to using SmarterMail's automatic certificates.

When accessing SSL Certificates, the following tabs are available, and each tab has its own cards/details:

Regarding Port Bindings

When adding or modifying ports (on the Ports tab over at Settings > Bindings), one thing asked for is an Encryption type. If SSL or TLS is selected, SmarterMail asks for a Certificate Path and Password. Even when using this page to manage SSL Certificates, those fields are still required. This is because some clients do NOT support SNI. For this reason an administrator will need to add a certificate to act as a fallback to each SSL/TLS Port binding in order for SmarterMail to listen for TLS connections. It can be the same certificate for each port, however.

Options

The Options area contains the following cards:

Options

This card consists of basic options for SSL Certificates. These include:

  • Certificate Folder Path - This is the path on the server where SmarterMail SSL certificates are stored. By default, this is c:\SmarterMail\Certificates.
  • Certificate Password (if any) - The password used to encrypt the certificate store folder to add additional at-rest security, or the password associated to any existing certificates that are added to the certificates folder that the system administrator wants SmarterMail to read. NOTE: This password should match the one configured in the centralized certificate store in IIS. If a password is not necessary, this can be left blank.
  • Enable Automatic Certificates - This toggle will enable SmarterMail to generate SSL certificates automatically for domains that are added. Enabling this will display the cards detailed below.

Automatic Certificates

When automatic certificates are enabled, it's up to the system administrator to not only select the certificate provider, but also make/edit some existing settings to ensure certificates are issued properly.

  • Certificate Authority - The company issuing the SSL certificate.
  • Email Address for Certificate Notifications - Most certifying authorities require an email address for any notifications regarding certificates. This can be a generic address.
  • Hostname prefixes (one per line) - These are the prefixes covered by the issued SSL certificate. By default, "autodiscover", "mail" and "webmail" are provided. If other prefixes are used, such as "POP" or "SMTP", they will need to be added manually. (NOTE: If a prefix is listed, but is not used, it will not be sent to the Certifying Authority.)
  • Terms of Service - A link is provided to the terms of service of the Certificate Authority that's selected.

Certificate CSR

When certificates are issued, they're issued to a particular organization. This section lists the organizational information requested for the Certifying Authority. We default some information, but it can be edited as needed.

  • Organization - The name of the organization requesting the certificate.
  • Organization Unit - The particular unit/department within the Organization requesting the certificate. (This can match the Organization.(
  • City - The city that corresponds to the Organization.
  • State / Province - The state or province that corresponds to the Organization.
  • Country - The country that corresponds to the Organization.

Certificates

This tab lists any certificates that reside in SmarterMail's Certificates Folder that were NOT automatically generated by SmarterMail. These are generally pre-existing certs that were already in the cerfiicates folder or that were placed there after being manually generated or generated outside of SmarterMail. (NOTE: Any certificate added or uploaded to the Certificates Folder MUST be a .PFX file type.) Each certificate is displayed with the following information:

  • File Name - The actual file name of the certificate.
  • Hostnames - The hostname(s) associated to the certificate.
  • Expires - The expiration date of the certificate.
  • Renews - The renewal date of the certificate, which is generally 30 days prior to the Expires date.
  • Status - Generally, this will display Active if the SSL certificate is being read successfully by SmarterMail. However, another status may be listed. For example, the certificate is invalid due to an incorrect password or if one or more hostname(s) associated to the certificate aren't able to be reached via the internet.

Uploading Certificates

On the Certificates tab, it's possible to add new certificates to SmarterMail simply using the Upload button. NOTE: Only .PFX files can be uploaded.

  1. Click the Upload button, and a modal will open.
  2. Use the Choose File button to find, and select, the .PFX file you want to upload.
  3. Add the password associated to the file, if one was added. If you get an error, you can try leaving this field blank.
  4. Click the Next button. Ideally, you'll get the message that "Your certificate has been verified. The certificate can be used for the hostnames below:" and you'll see your hostname and the expiration date of your certificate. If errors occur, they will be displayed instead, so you can troubleshoot the issue.

Alternatively, you can manually drop .PFX files into SmarterMail's Certificates folder and they will appear on the Certificates tab. If you have your own cert generation app (certbot, certifytheweb, etc.), you can configure it to export to SmarterMail's Certificates folder and SmarterMail should immediately pick up the new certs as long as you use a consistent (or no) password on them.

Removing Certificates

In order to remove a certificate (either custom certificates or automated certificates), once the domain(s) served by the certificate are handled as necessary, a system administrator simply needs to remove the associated .PFX file from the Certificates folder. (By default, C:\SmarterMail\Certificates) Once that's done, SmarterMail will update the certificates list and that certificate will no longer be present.

Automatic Certificates

This tab lists the certificates that have been automatically generated by SmarterMail using the Certifying Authority selected on the Options tab. Similar to the Certificates tab, some information is available on the page, including:

  • Hostnames - The hostname(s) associated to the certificate.
  • Expires - The expiration date of the certificate.
  • Renews - The renewal date of the certificate, which is generally 30 days prior to the Expires date.
  • Status - Generally, this will display Active if the SSL certificate is being read successfully by SmarterMail. However, another status may be listed. For example, the certificate is invalid due to an incorrect password or if one or more hostname(s) associated to the certificate aren't able to be reached via the internet.

Status Codes

The status of various certificates can be varied, depending on whether the cert is Active or if there are issues. SmarterTools makes the status codes as verbose as possible so you know exactly what an issue is. Below are the various short and long descriptions (where applicable) for each:

  • Disabled - The certificate was disabled by a system administrator.
  • Active - Certificate was generated and is working properly.
  • Certificate was generated but has binding errors - Certificate was generated but could not be bound to the web interface.
  • Certificate has been deactivated - Certificate has been deactivated. Please generate a new one.
  • Certificate has expired - Certificate has expired. Please generate a new one.
  • Domain validation has failed - Domain validation has failed. Please ensure that the hostname is accessible through HTTP from the internet.
  • Inaccessible through HTTP - The hostname for this site is not bound to this SmarterMail instance when navigating to it through HTTP. This is necessary to verify ownership for the certificate.
  • Domain validation is pending - Domain validation is pending. This may take a few minutes.
  • Certificate has been revoked - Certificate has been revoked. Please generate a new one.
  • Generating certificate - Domain validation has completed and your certificate will be generated shortly.
  • Certificate has no private key
  • Invalid Password - Certificate cannot be loaded with password provided
  • Certificate file cannot be loaded

If there are issues binding the cert to IIS, the following status is displayed:

  • Another site is already bound to the same hostname, so SmarterMail cannot automatically add the binding.
  • Automatic binding is not supported on this server operating system.
  • An error occurred applying the website binding. Refer to the administrative log file for more information.
  • Cannot find the website that is bound to your MRS folder.
  • Cannot find the MRS folder in your installation path.