Securing SmarterMail via SSL/TLS

Plesk Servers > Email

Securing SmarterMail via SSL/TLS

SSL/TLS are security protocols that allow data being transmitted to be encrypted. With SSL/TLS encryption users can access email through a third-party email clients without fearing that someone has intercepted their data. SSL will encrypt the connection immediately upon connection. TLS will encrypt once the STARTTLS command is sent. TLS uses ports 25, 110, 143 and SSL requires ports 465, 993, and 995.
 
This article applies to SmarterMail 8.x - 12.x and Dedicated Server Customers
 
If you are a dedicated server customer, you may do this yourself. If you are a shared hosting customer, you must request that this be configured for you by contacting our support team.
 
Prior to configuring SmarterMail to be secured over SSL or TLS, the SSL certificate installed on the server must first be exported to a Base-64 Encoded certificate that SmarterMail can read. If an SSL certificate is not yet installed on  the domain, see How to Create and Install an SSL Certificate. One SSL certificate can be used to secure all the mail on the SmarterMail server.
 
Follow these steps to export your SSL certificate to a Base-64 encoded certificate file:
  1. Log into your dedicated server using Remote Desktop.
  2. Type Windows key + R.
  3. Type mmc.exe and press Enter.
  4. Select File > Add\Remove Snap in....
  5. Select Certificates and click the Add> icon.

    Add Certificate Snap-in
     
  6. Select Computer account then Next.
  7. Verify Local computer is selected and click Finish.
  8. Click OK.
  9. In the Console Root expand Certificates (Local Computer), expand Personal, and choose Certificates.
  10. Right click the certificate in which you wish to export click  All Tasks > Export.

    Export Certificate
     
  11. In the Certificate Export Wizard, click Next.
  12. Choose No, do not export the private key > Next.
  13. Choose the Base-64 encoded X509 (.CER) file > Next.
  14. Click Browse to choose a location to save the certificate to like C:\SmarterMail\Certificates\<SiteName> - Name the certificate, click Save.
  15. Click Finish. Click OK.
 
Add a port to listen over SSL or TLS
  1. Copy the path to your certificate to the clipboard or notepad.
  2. Log into the SmarterMail server using one of the methods below.
    1. Open a browser and type the IP address of the server with :9998 appended to the end and use admin and the server's password to log in.
    2. Using the @Managed.com Control Suite, right click on the SmarterMail server to Log in as Admin.
  3. Click the Settings icon.
  4. Expand Bindings, click Ports.
  5. Click New in the content pane toolbar.
  6. Select the protocol you are wanting to encrypt - SMTP for sending mail, POP or IMAP for retrieving mail.
  7. Choose SSL or TLS. TLS is the newer, preferred protocol.
  8. Name the port, leave the default port number as is.
  9. In the Certificate Path paste the path to the certificate you exported.
  10. Fill out a Description if desired.

    SmarterMail Bindings Ports
     
  11. Click Verify Certificate to ensure the certificate exists in the specified path.
  12. Click Save.
  13. Repeat for the other protocols you’d like to transmit securely.
Add the Ports SmarterMail Should Listen On to the Dedicated IP Address
Once you have added SSL to a port, you can follow the instructions below to add the port to listen on an IP:
  1. Within SmarterMail, click the Settings icon.
  2. Expand Bindings click IP Addresses.
  3. Select desired IP address and click Edit.

    SmarterMail Bindings IP Addresses
     
  4. Use the checkboxes to select the port(s) you would like the IP address to listen on.

    SmarterMail Port Listing
     
  5. Click Save.
Note, SMTP (25) must remain open for mail servers to communicate with one another. If you want to give your email users the option to send and receive their mail in an unencrypted format, POP (110) and IMAP (143) can also be open.
 
NOTE: For these changes to take effect, the SmarterMail service must be completely stopped then restarted.
Restart SmarterMail Service
  1. On the dedicated server press the Windows key + R > type services.
  2. Locate and right click on SmarterMail Service click Stop.
  3. Once it has finished stopping the service, right click on it and choose Start.

Set Domain to Use TLS Authentication 
  1. Within SmarterMail, select the domain that should be using encryption. Click Edit.
  2. Choose the Technical tab.
  3. In the TLS field, choose the drop down and select Enabled.

    SmarterMail TLS Authentication
 
Verify mail can be sent and received using TLS - http://www.checktls.com/
Remember to have your mail users configure Outlook, Thunderbird, or other email client to send and receive using encryption.

Add Feedback