Frequently Asked Questions

How do I enable the mail server's secure protocols? (SMTPS, IMAPS, POP3S, TLS)
Last Updated 5 years ago

Secure protocols use SSL (Secure Sockets Layer) technology for establishing an encrypted link between a server and a client. An SSL Certificate is required in order to be able to establish a secure connection. SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate owner.

To get a certificate, you must either create a certificate signing request on the server, or use self-signed certificates.

The certificate signing request process creates a private key and public key on your server. The CSR data file that you send to the SSL Certificate issuer (called a Certificate Authority or CA) contains the public key. The CA uses the CSR data file to create a data structure to match your private key without compromising the key itself. The CA never sees the private key.

https://helpdesk.dataways.gr/kb/faq.php?id=18

It is also possible to use self-signed certificates that are entirely generated and signed by the same server. This is a quick, cheap and easy way to provide encryption options for the clients connections to the services provided. However, since those certificates are not verified by a trusted Certificate Authority, most clients will prompt the users with a security alert because the certificate was not verified:

Below is an example security prompt:

image

Most browsers or other client software provide a way to add a security exception for the specified certificates, so that they are considered trusted.

To produce a certificate go to "Configuration :: System :: Certificates Management". You will see the "Repository" tab. Click on the "Create Self-signed Certificate" button and fill the form as shown below:

image

The most important field here is the Name field. When this certificate is used by a server, the name of the certificate must be the same as the server's hostname, as advertised by the server. This hostname is the combination of the hostname and domain name as provided on the system general settings.


image

In our example, the full host name is mail.mydomain.com, so this is what we use as the certificate's name.


NOTE: The password you provide here will be used to encrypt the private key on the server. This password is not stored anywhere and cannot be recovered. Make sure you do not forget it. You will be prompted for this password whenever an operation is required to use this key (when issuing a new certificate, revoking a certificate etc.).

Finally click on the "Create Self-Signed Certificate" button.


image


You can now see the certificate that was generated.


Using the certificates

Now we can select the certificate that we created for use by our services. Let's use it in our mail server:

Go to "Configuration :: E-Mail Service :: General Settings" and click on the "Change" button next to the certificate.

image

At the popup prompt, click on the "Select from repository" button.
You should see here the certificates stored in the certificate repository.


image


Click on the certificate we created earlier (mail.mydomain.com). You will be prompted for the password that was used to create the certificate:

image
Fill in the password and click on the "OK" button.

The certificate should now be selected:

image

Finally click on the "Save" button and the secure protocols should be available right after.

You can easily check the certificate by accessing the webmail service over HTTPS now.


Secure services and associated ports

Mail server:
Secure POP3 connections are available on normal POP3 port (tcp 110) using TLS, or direct SSL connection on port 995,
Secure IMAP connections are available on normal IMAP port (tcp 143) using TLS, or direct SSL connection on port 993.
Secure SMTP connections can be established either using port 25 and STARTTLS, or direct SSL connection to port 465.
Secure connection to the Groupware is available using HTTPS.

Groupware (webmail)
HTTPS connection on the default port 443*

FTP server:
TLS option on standard FTP port (tcp 21)
SFTP connection on port 9222
FTPS connection on port 990

LDAP server:
TLS option on standard LDAP port (389*)
LDAPS connection on port 636*

* These ports can be customized

Please Wait!

Please wait... it will take a second!