Securing SmarterMail via SSL/TLS (8.x to 15.4)

Securing SmarterMail via SSL/TLS

This article applies to SmarterMail 8.x - 15.4 and Dedicated Server Customers
NOTE: Due to the older TLS protocols being disabled and most mail clients will no longer support these older protocols, if you are on SmarterMail 8.x to 15.4 please contact our support team to either help identify your version and if you are on the older versions you will need to discuss the possibility of migrating to a newer server. Full support for these older versions of SmarterMail will no longer be available with in the future.
SSL/TLS are security protocols that allow data being transmitted to be encrypted. With SSL/TLS encryption users can access email through a third-party email clients without fearing that someone has intercepted their data. SSL will encrypt the connection immediately upon connection. TLS will encrypt once the STARTTLS command is sent. TLS uses ports 25, 110, 143 and SSL requires ports 465, 993, and 995.
If you are a dedicated server customer, you may do this yourself. If you are a shared hosting customer, you must request that this be configured for you by contacting our support team.
Prior to configuring SmarterMail to be secured over SSL or TLS, the SSL certificate installed on the server must first be exported to a Base-64 Encoded certificate that SmarterMail can read. If an SSL certificate is not yet installed on  the domain, see How to Create and Install an SSL Certificate. One SSL certificate can be used to secure all the mail on the SmarterMail server.
Follow these steps to export your SSL certificate to a Base-64 encoded certificate file:
  1. Log into your dedicated server using Remote Desktop.
  2. Type Windows key + R.
  3. Type mmc.exe and press Enter.
  4. Select File > Add\Remove Snap in....
  5. Select Certificates and click the Add> icon.

    Add Certificate Snap-in
  6. Select Computer account then Next.
  7. Verify Local computer is selected and click Finish.
  8. Click OK.
  9. In the Console Root expand Certificates (Local Computer), expand Personal, and choose Certificates.
  10. Right click the certificate in which you wish to export click  All Tasks > Export.

    Export Certificate
  11. In the Certificate Export Wizard, click Next.
  12. Choose No, do not export the private key > Next.
  13. Choose the Base-64 encoded X509 (.CER) file > Next.
  14. Click Browse to choose a location to save the certificate to like C:\SmarterMail\Certificates\<SiteName> - Name the certificate, click Save.
  15. Click Finish. Click OK.
Add a port to listen over SSL or TLS
  1. Copy the path to your certificate to the clipboard or notepad.
  2. Log into the SmarterMail server using one of the methods below.
    1. Open a browser and type the IP address of the server with :9998 appended to the end and use admin and the server's password to log in.
    2. Using the Control Suite, right click on the SmarterMail server to Log in as Admin.
  3. Click the Settings icon.
  4. Expand Bindings, click Ports.
  5. Click New in the content pane toolbar.
  6. Select the protocol you are wanting to encrypt - SMTP for sending mail, POP or IMAP for retrieving mail.
  7. Choose SSL or TLS. TLS is the newer, preferred protocol.
  8. Name the port, leave the default port number as is.
  9. In the Certificate Path paste the path to the certificate you exported.
  10. Fill out a Description if desired.

    SmarterMail Bindings Ports
  11. Click Verify Certificate to ensure the certificate exists in the specified path.
  12. Click Save.
  13. Repeat for the other protocols you’d like to transmit securely.
Add the Ports SmarterMail Should Listen On to the Dedicated IP Address
Once you have added SSL to a port, you can follow the instructions below to add the port to listen on an IP:
  1. Within SmarterMail, click the Settings icon.
  2. Expand Bindings click IP Addresses.
  3. Select desired IP address and click Edit.

    SmarterMail Bindings IP Addresses
  4. Use the checkboxes to select the port(s) you would like the IP address to listen on.

    SmarterMail Port Listing
  5. Click Save.
Note, SMTP (25) must remain open for mail servers to communicate with one another. If you want to give your email users the option to send and receive their mail in an unencrypted format, POP (110) and IMAP (143) can also be open.
NOTE: For these changes to take effect, the SmarterMail service must be completely stopped then restarted.
Restart SmarterMail Service
  1. On the dedicated server press the Windows key + R > type services.
  2. Locate and right click on SmarterMail Service click Stop.
  3. Once it has finished stopping the service, right click on it and choose Start.

Set Domain to Use TLS Authentication 
  1. Within SmarterMail, select the domain that should be using encryption. Click Edit.
  2. Choose the Technical tab.
  3. In the TLS field, choose the drop down and select Enabled.

    SmarterMail TLS Authentication
Verify mail can be sent and received using TLS -
Please Note: The information below is for ADVANCED USERS ONLY and we will not support any issues with these steps:
Alternatively to check that your TLS/SSL connection is good to go you can run the following commands on a Linux server or MacOSX that has OpenSSL installed:
SMTP: openssl s_client -starttls smtp -crlf -connect <insert mail serve hostname or domain name>:25
POP3: openssl s_client -starttls pop3 -crlf -connect <insert mail serve hostname or domain name>:110
IMAP: openssl s_client -starttls imap -crlf -connect <insert mail serve hostname or domain name>:143
Remember to have your mail users configure Outlook, Thunderbird, or other email client to send and receive using encryption.

Add Feedback