Secure Protocols and Bindings

Problem reported by Harland Adelaars - 5/2/2024 at 2:40 AM

Submitted

When I inspect the bindings in the configuration, I notice that nothing is automatically enabled for secure connections. POP, IMAP, and SMTP are only available on the default ports without TLS or SSL.

Why isn't secure email configured by default upon installation? It's a necessity in today's digital landscape.

Additionally, when adding ports, we're required to manually select a certificate. Why isn't this process automated based on the connections made? SmarterMail already has access to information about created certificates, so it should utilize that data.

For example, if I connect to mail.domain1.com, it should automatically use the corresponding certificate, and the same principle should apply to other domain names.

6 Replies

Reply to Thread

Patrick Jeski Replied

5/2/2024 at 3:46 AM

You can edit each port and select SSL or TLS, the port number will change automatically if applicable.

If the client uses SNI, the correct cert should be chosen automatically. If the client doesn't use SNI, the cert you manually configured is the backup.

Kyle Kerst Replied

5/8/2024 at 10:40 AM

Employee Post

Hi Harland, I'd be happy to help clarify here. First, SSL/TLS isn't set up by default because it requires administrator involvement currently, and isn't necessary in all deployments. We have quite a few customers who use SmarterMail in an offline environment which won't even support SSL, so this is available as an option above and beyond the defaults.

As Patrick pointed out - the certificate selection you're doing in Settings>Bindings>Ports is a "fall-back" certificate in that this PFX will only be selected for STARTTLS/SSL IF a better certificate isn't found in the certificates directory as part of our SNI implementation. Usually I instruct customers to set this fallback cert as the system level hostname's SSL certificate so that if a client tries to connect on a domain that does not yet have SSL, they'll at least be able to continue the secure connectivity using your main hostname.

I hope that helps!

Kyle Kerst

Lead Internal Network/System Administrator

SmarterTools Inc.

smartertools.com

Dan Ritchey Replied

7/2/2024 at 1:55 PM

I'm trying to understand this myself.

So, if I'm using the automatic certificates, then I don't need to setup port bindings for SSL (IMAP/S, STMPS, etc.) because its all taken care of automagically in the background?

Patrick Jeski Replied

7/2/2024 at 2:05 PM

Yes you still do need to setup the cert in bindings. Non-SNI MX connections are common. And also, it doesn’t matter whether the cert are automatic or not, the feature still works.

Employee Replied

7/2/2024 at 2:33 PM

Employee Post

The cert setup in bindings is used as a last-resort, if we don't find a matching cert in the automatic certificates area (or its not configured) we will then use the one in bindings.

Like Patrick mentioned, sometimes during SMTP the server talking to us won't use SNI, so we have no way of knowing which cert should be used and thus it will use the one in bindings.

I could see the potential for moving away from the cert in bindings and then picking or adding a cert in the automatic area and then designate it as the "default", we'd be able to migrate this automatically for current installs.

Patrick Jeski Replied

7/2/2024 at 3:01 PM

Just to clarify, automatic certificates don’t have to be configured. I have this working fine with CertifyTheWeb placing my certs in the configured SmarterMail certificates folder, they are used for SNI.

Back to Community Threads

Please leave this box unchecked