Multiple SSL Certificates

[frontdist]

Please include the ability to select/install SSL certificates on a per-domain or per-postoffice basis.

Currently when hosting multiple domains, either a generic domain and SSL certificate has to be used (one that is not descriptive of individual domains on the server), or all user have to use one domain to have SSL capability (thus they will know the main domain you are hosting). Being able to install multiple SSL certificates would enhance customization of individual domains/postoffices.

[MailEnable-Ian]

Hi,

You can find this option under "Post office IP bindings" located within the "localhost" properties under the "General" tab. Double click the IP address and bind post office, host name and SSL cert. Post office IP bindings is exclusive to Enterprise and Enterprise Premium versions.

[frontdist]

Unfortunately, I was hoping there could be some resolver tied into the process to differentiate based on host-header for a given domain.

With the method you are suggesting, I would either need to map each different domain to a different IP address and then apply the certificates that way (which I don't have enough public IP's to accomplish this), or I would need to put a reverse proxy between the firewall and the mail server that would be able to reverse-resolve the host header to various LAN IP's that I could multi-home to a single adapter.

More or less, I was hoping that something like the IIS implementation where multiple domains/certificates can be reached on one IP address could be achieved.

Please let me know if this ever becomes a solution.

[airbear]

The problem lies a little deeper than MailEnable. A TLS/SSL enabled server cannot know the domain name used by the client to reach the server and thus cannot choose a certificate according to the domain name, except when the domain name is provided using the TLS SNI extensions. Without SNI, you are limited to a single certificate per TCP socket (IP:Port). Support for SNI in client software is not yet universal and using TCP ports other than the standard for a protocol causes more problems. So, you end up needing 1 public IP for each certificate to ensure best compatibility... The situation to be much the same in IIS.

[listvan]

Any updates about this issue?

Does new feature maybe solve the problem SNI support for SMTP, IMAP, POP.

Kind Regards

[MailEnable-Ian]

Hi,

10.19 5th October 2018
----------------------
ADD: SNI support for SMTP, IMAP, POP, etc

http://www.mailenable.com/Professional-ReleaseNotes.txt

[listvan]

Hi,

I already knew it ! thanks but I haven`t received any clear answer reflecting to main topic " Multiple SSL certificates" without using this method:

"Post office IP bindings" located within the "localhost" properties under the "General" tab. Double click the IP address and bind post office, host name and SSL cert. "

Does the SNI solve the issue or only its only for ISS?

Hi,

10.19 5th October 2018
----------------------
ADD: SNI support for SMTP, IMAP, POP, etc

http://www.mailenable.com/Professional-ReleaseNotes.txt

[Admin]

Hi,

If SNI is enabled, then you don't need to select any certificate. The services will just look up the certificate for the domain the client request in the Windows certificate store and try to use it. If a matching certificate cannot be found then it will fall back to using the one selected in the administration program. So it is a lot easier to use now, as you just have to install the certificate for the domain and it will be picked up - no need to restart the services either.

[listvan]

Hi,

Thank you for your answer,

I`ve enabled the SNI in lovalhost ssl settings - "Use requested SSl certificate if possible for non ISS services (SNI) left the default SSL as "NONE" ....but did not worked. .restarted all services as requires . It gives a send receive error in outlook. Most probably could not choice the right certificate. (I`m using my personal mail with *bungalow.eu configured with ssl in outlook. )
I have 4 different SSL certificates set up for 4 different domains ex : *bungalow.eu *, *parlclesetoiles.com, *resortnet.nl, etc. only the default worked "*bungalow.eu" the rest 3 could not be used.
As I understand must be enabled the SNI function and lived the default SSL to NONe and it will take automatically the right one.
I notice that in ISS it works all the 4 webmails with different domains works with https fine.

I really appreciate your effort and your help resolving this issue.

Kind Regards
Istvan Lokodi
System Administrator
Bungalow.Net

Hi,

If SNI is enabled, then you don't need to select any certificate. The services will just look up the certificate for the domain the client request in the Windows certificate store and try to use it. If a matching certificate cannot be found then it will fall back to using the one selected in the administration program. So it is a lot easier to use now, as you just have to install the certificate for the domain and it will be picked up - no need to restart the services either.

[MailEnable-Ian]

Hi,

Ensure you running 10.20 as there were fixes to the SNI functionality.

[listvan]

Company Name: Bungalow.Net
Contact Name: Willem van der Wilden
Enterprise Edition: 10.20

Hi,

Ensure you running 10.20 as there were fixes to the SNI functionality.

[MailEnable-Ian]

Hi,

Ok so what is the exact error in Outlook when you send/receive? It shouldn't fail to connect and should only return a trust warning if the SSL certificate does not match to host name, therefore there is something else wrong. Perhaps you have not set the relevant permissions on the SSL certificates for the MailEnable service accounts. Please see: http://www.mailenable.com/kb/content/ar ... D=ME020479

Also please be aware that SNI will not work with wildcard SSL certificates.

[listvan]

Back to the topic,

I have some updates but I still facing some difficulties to configure.
Due to the reason that "SNI will not work with wildcard SSL certificates" I decided to get 3 more public Ip addresses and bind it separately.

1. Ip 87.230.58.24 is pointed to .mail.bungalow.eu added the right postoffice and SSL certificate. It works fine in outlook.
2 IP 87.230.58.162 pointed to mail.resortnet.nl added the right postoffice ..and selected the SSL certificate ...does not work in outlook it fails by the test account settings. But In the moment when I change the port without encryption normal 143 port for Imap and 25 for Smtp the test works.

I hope somebody can help ...it`s getting to have more difficult using and configuring certificates.
We really need to add for each domain separately their own certificate and we prefer to use SSL/TLS encrypted connection in outlook.

We will have to solve this issue asap.
Thank you in advance,

Istvan Lokodi
Bungalow.Net

[StefanAlbrecht]

Hi Jan,


My client has this error code 0x800CCC0F. He checked: DNS resolution is working. What else may be blocking connectivity?

Thanks,
Stefan