As a long time user of SmarterMail (> 6 years) I have dreaded Security Certificate change over time. Normally I used Digicert, who have a simple application to help with the process but it is still a fiddle of exporting stuff from Windows Certificate Manager, sending to them, paying money, getting a response, importing certificates, setting it in IIS, setting it for Smartermail etc.
Last year I was offered a Comodo certificate on trial. It was meant to be a simple process with their automated systems. Long story cut short, much swearing & several hours later I managed to extract it, get a Digicert Certificate and get going again. It was one of those middle of the night server upgrades that you hope and pray wont still be happening when your clients wake up.
I run a lot of Linux servers. Over the last three or so years I’ve been using LetsEncrypt. For me it was a better option to have a certificate that was signed by a well known authenticator than to try to get people to accept self signed certificates. Prior to that I was using Digicert Certificates in Linux and having to do keys, signers, install intermediate certs etc etc. LetsEncrypt changed all that. One command line later and a rename of the new cert (example.com.cert-006 ) to the generic name (example.com.cert) and it was all done.
Seeing how easy it was under Linux I decided to try to get it going for IIS. Lets just say that I was still using Digicert last year. Like so many other open source projects, Windows is the poor cousin, and LetsEncrypt was no different.
I’m a glutton for punishment so I thought I would try LetsEncrypt on IIS this year – again!!. In my research I found this product: Win-Acme by PKISharp. The instructions were simple: download the product, unzip it into a folder, open a command prompt and run it. Hmm – even a dolt like me can do that – so I gave it a try.
Wow!!!! It works. I chose a simple install for a single domain name, accepted the terms and conditions and off it went. Cracking open a web browser confirmed the new certificate was in place and if the program is to be believed it has also installed a renewal task to run automatically.
Now for SmarterMail. For those who don’t know the product, SmarterMail is an Exchange alternative. You can get it to run its own web server, for admin and webmail, or use IIS. I’m using IIS as I have a busier commercial server. If it was just me then the inbuilt webserver is fine. The certificate I had just installed was for IIS but in order to get it working for secure mail services ( SMTPS, POPS and IMAPS ) I have to go into the admin panel and point each process at the certificate.
Step 1: Find where LetsEncrypt had stored the certificates.
In General if you look in c:\ProgramData you will find a LetsEncrypt sub folder, or if you use the Win-Acme, a winacme sub folder. If you keep carving down you will find a folder with the certificates in it (files ending in .pfx, .pem, crt.der )
Alternatively you can run the following command (
letsencrypt.exe --test --verbose ) In the output you will find the certificate store folder listed
[DBUG] Renewal period: 55 days
[VERB] Store renewals in file C:\ProgramData\win-acme\httpsacme-staging.api.letsencrypt.org\Renewals
The certificates are found in C:\ProgramData\win-acme\httpsacme-staging.api.letsencrypt.org\ in this example.
Step 2: Open Smartermail: Goto Settings->Bindings->Ports
WARNING Don’t do what I did and point to the crt.der file. Yes it is a certificate but Smartermail does not use straight certificates. It wants the private key. Point at the pfx file. (example.com-all.pfx)
After setting the certificate path, click the ‘Verify Certificate’ button and if it is green you have a good file in place. Again BE WARNED!!! if you have pointed at the crt.der file it will show green but you wont be able to send or receive mail
Step 3: Restart Smartermail
That is as simple as going to the services console and restarting the SmarterMail Mail Server service.
Step 4: Test
- SMTP Test: Check TLS will test your SMTP connection. All you need to do is put in a mail domain (your server name or a domain your mail server hosts ) https://www.checktls.com/ No credentials are required for this test.
- Webserver Test: Check your web server is properly configured with the new certificate – https://www.ssllabs.com/ssltest/ Again no credentials are required
- POPS and IMAPS Test: WARNING!!! The only way to test secure pop and imap is to provide login credentials for a mail box. If you trust the following site – feel free to put in your credentials. However, I do not know these people. Putting in your own credentials means they could steal your mail if they turn out to be malicious. I RECOMMEND MAKING A TEMP MAIL USER and testing using those credentials. Once the test is finished, destroy the temporary user. The test location is found here: https://www.dotcom-tools.com/email-server-test.aspx Use it at your own risk.
Should all your tests pass then feel free to sit back, gloat about a job well done and know that in 3 months time the win-acme program will either auto renew or let you run a simple command line to renew your certs.
In the notes I have found, it is possible the renewed certificates will appear in a sub folder of the certificates folder e.g.
C:\ProgramData\win-acme\httpsacme-staging.api.letsencrypt.org\Renewals if that is the case then moving the renewed certs to
C:\ProgramData\win-acme\httpsacme-staging.api.letsencrypt.org\ and restarting IIS and Smartermail should complete the renewal without too much pain.
As always, if you need help doing one of these installs – feel free to contact us.