Set a TLS certificate on your SmarterMail Server
The instructions are written specifically for SmarterMail 17 but should work for all versions. We have used these instructions since version 10 of SmarterMail.
The instructions below utilize the free certificate program Let's Encrypt. You can use any certificate you wish but is our preferred as it allows us to keep our costs down. The only downside we have is we have to do these steps four to five times per year rather than just once due to the certificates expiring every 3 months. We normally renew ours between two and three months to avoid any downtime.
We utilize a tool called Certify the web that makes the process of getting your Let's Encrypt TLS certificate. We won't be going into detail on that within this instruction article. If you are using this for only one domain you can get away without paying for the software. We are using it for one domain but have paid as it helps the author keep the software current and rewards them for their hard work.
Creating the Certificate
Note: These steps "assume" you have already setup your certificate.
- Run the Certify the web (UI).
- Click on your domainname and click on Request Certificate. This will pull the latest certificate for your domainname.com.
- Once you get a green text (e.g., no red text) that the certificate is active then you can proceed to the next step.
Exporting the Certificate
- Note: Make certain you have the latest possible certificate before continuing.
- Click on Start and type in mmc and press enter.
- Click on Yes to load Microsoft Management Console.
- Click on File and choose Add/Remove Snap-in....
- Select Certificates and click on Add >.
- Choose Computer account and click on Next >.
- Choose Local computer: (the computer this console is running on) and click on Finish.
- Click OK in the bottom right of the window.
- Double-click on Certificates (Local Computer).
- Double-click on Personal.
- Click on Certificates.
- Note: You will have one or more certificates listed here. If you have more than one click on the Expiration Date so that the newest date (about 3 months from the date you are doing this) shows at the top.
- Right-click on the domain you wish to export for your mail server.
- Click on All Tasks > and choose Export....
- Click on Next.
- Choose Yes, export the private key and click on Next.
- Choose Personal Information Exchange - PCCS #12 (.PFX) which should be your only option at the main level.
- Click on the checkbox of Include all certificates in the certification path if possible.
- Click on the checkbox of Export all extended properties.
- Click on the checkbox of Enable certificate privacy.
- You should now have THREE check boxes selected.
- Click on Next.
- Check the box Password:.
- Enter your Password:.
- Note: Make this password complex but remember it as you will need this when you are doing the SmarterMail steps.
- Enter your Confirm Password:.
- Make the Encryption TripleDES-SHA1.
- Click on Next.
- Choose the location of the certificate. We install ours as C:\Certs\domainname.pfx.
- Click on Next.
- You will now have a confirmation screen. Verify the information is correct and then click the Finish button.
- Log into your SmarterMail installation as the administrator.
- Click on the Gear icon.
- Click on Bindings from the left side menu.
- The following ports you will want to do:
- SMTP (Port 25)
- POP (Port 110)
- IMAP (Port 143)
- LDAP (Port 389)
- SMTP TLS (Port 465)
- Submission TLS (Port 587)
- IMAP TLS (Port 993)
- XMPP Client Port (Port 5222)
- Within each port you will choose:
- Encryption type of TLS.
- Certificate Path * to Name/Location you exported to (e.g., C:\Certs\domainname.pfx).
- Enter the Password you used for the export.
- Click the Save button.
- [ Repeat the steps for each of the protocols ]
Testing of your SmarterMail Certificate
The steps below are going to be more vague rather than step-by-step as they utilize another website to test and validate the certificate. The test uses the site https://www.checktls.com/ as the validator for the TLS certificate.
- Navigate your web browser to https://www.checktls.com/.
- Look for a section that, at the time of writing, called Check How You Get Email (Receiver Test) FREE. At present this is about one full screen down on the left side.
- Enter your domainname.com and click the button that says Check It.
- Note: You are looking for a Confidence Factor: that is 100. If the number is 100 then your TLS certificate and SmarterMail are working correctly. If the amount is lower than 100 you should click on Show Detail to see what the system is detecting as incorrect for your TLS certificate.
- Navigate your web browser to https://www.ssllabs.com/ssltest/.
- In the Hostname: enter in your mail server domain name.
- This test can take several minutes. Let it run it's course.
- Note 1: You can check the box to not keep track of the results.
- Note 2: You should strive for a "grade" that is either B-, B, B+, A-, A, or A+. The only reason you would have a B rating is if you are still support TLS 1.0 which most mail servers will still support.