Multiple SSL Certificates

Post your MailEnable suggestions here.
Post Reply
frontdist
Posts: 21
Joined: Tue Mar 05, 2013 7:12 pm

Multiple SSL Certificates

Post by frontdist »

Please include the ability to select/install SSL certificates on a per-domain or per-postoffice basis.

Currently when hosting multiple domains, either a generic domain and SSL certificate has to be used (one that is not descriptive of individual domains on the server), or all user have to use one domain to have SSL capability (thus they will know the main domain you are hosting). Being able to install multiple SSL certificates would enhance customization of individual domains/postoffices.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Multiple SSL Certificates

Post by MailEnable-Ian »

Hi,

You can find this option under "Post office IP bindings" located within the "localhost" properties under the "General" tab. Double click the IP address and bind post office, host name and SSL cert. Post office IP bindings is exclusive to Enterprise and Enterprise Premium versions.
Regards,

Ian Margarone
MailEnable Support

frontdist
Posts: 21
Joined: Tue Mar 05, 2013 7:12 pm

Re: Multiple SSL Certificates

Post by frontdist »

Unfortunately, I was hoping there could be some resolver tied into the process to differentiate based on host-header for a given domain.

With the method you are suggesting, I would either need to map each different domain to a different IP address and then apply the certificates that way (which I don't have enough public IP's to accomplish this), or I would need to put a reverse proxy between the firewall and the mail server that would be able to reverse-resolve the host header to various LAN IP's that I could multi-home to a single adapter.

More or less, I was hoping that something like the IIS implementation where multiple domains/certificates can be reached on one IP address could be achieved.

Please let me know if this ever becomes a solution.

airbear
Posts: 10
Joined: Wed Dec 10, 2014 2:34 pm

Re: Multiple SSL Certificates

Post by airbear »

The problem lies a little deeper than MailEnable. A TLS/SSL enabled server cannot know the domain name used by the client to reach the server and thus cannot choose a certificate according to the domain name, except when the domain name is provided using the TLS SNI extensions. Without SNI, you are limited to a single certificate per TCP socket (IP:Port). Support for SNI in client software is not yet universal and using TCP ports other than the standard for a protocol causes more problems. So, you end up needing 1 public IP for each certificate to ensure best compatibility... The situation to be much the same in IIS.

listvan
Posts: 16
Joined: Tue May 01, 2012 10:37 am

Re: Multiple SSL Certificates

Post by listvan »

Any updates about this issue?

Does new feature maybe solve the problem SNI support for SMTP, IMAP, POP.

Kind Regards

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Multiple SSL Certificates

Post by MailEnable-Ian »

Hi,

10.19 5th October 2018
----------------------
ADD: SNI support for SMTP, IMAP, POP, etc

http://www.mailenable.com/Professional-ReleaseNotes.txt
Regards,

Ian Margarone
MailEnable Support

listvan
Posts: 16
Joined: Tue May 01, 2012 10:37 am

Re: Multiple SSL Certificates

Post by listvan »

Hi,

I already knew it ! thanks but I haven`t received any clear answer reflecting to main topic " Multiple SSL certificates" without using this method:

"Post office IP bindings" located within the "localhost" properties under the "General" tab. Double click the IP address and bind post office, host name and SSL cert. "

Does the SNI solve the issue or only its only for ISS?
MailEnable-Ian wrote:Hi,

10.19 5th October 2018
----------------------
ADD: SNI support for SMTP, IMAP, POP, etc

http://www.mailenable.com/Professional-ReleaseNotes.txt

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Multiple SSL Certificates

Post by Admin »

Hi,

If SNI is enabled, then you don't need to select any certificate. The services will just look up the certificate for the domain the client request in the Windows certificate store and try to use it. If a matching certificate cannot be found then it will fall back to using the one selected in the administration program. So it is a lot easier to use now, as you just have to install the certificate for the domain and it will be picked up - no need to restart the services either.

listvan
Posts: 16
Joined: Tue May 01, 2012 10:37 am

Re: Multiple SSL Certificates

Post by listvan »

Hi,

Thank you for your answer,

I`ve enabled the SNI in lovalhost ssl settings - "Use requested SSl certificate if possible for non ISS services (SNI) left the default SSL as "NONE" ....but did not worked. .restarted all services as requires . It gives a send receive error in outlook. Most probably could not choice the right certificate. (I`m using my personal mail with *bungalow.eu configured with ssl in outlook. )
I have 4 different SSL certificates set up for 4 different domains ex : *bungalow.eu *, *parlclesetoiles.com, *resortnet.nl, etc. only the default worked "*bungalow.eu" the rest 3 could not be used.
As I understand must be enabled the SNI function and lived the default SSL to NONe and it will take automatically the right one.
I notice that in ISS it works all the 4 webmails with different domains works with https fine.

I really appreciate your effort and your help resolving this issue.

Kind Regards
Istvan Lokodi
System Administrator
Bungalow.Net


Admin wrote:Hi,

If SNI is enabled, then you don't need to select any certificate. The services will just look up the certificate for the domain the client request in the Windows certificate store and try to use it. If a matching certificate cannot be found then it will fall back to using the one selected in the administration program. So it is a lot easier to use now, as you just have to install the certificate for the domain and it will be picked up - no need to restart the services either.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Multiple SSL Certificates

Post by MailEnable-Ian »

Hi,

Ensure you running 10.20 as there were fixes to the SNI functionality.
Regards,

Ian Margarone
MailEnable Support

listvan
Posts: 16
Joined: Tue May 01, 2012 10:37 am

Re: Multiple SSL Certificates

Post by listvan »

Company Name: Bungalow.Net
Contact Name: Willem van der Wilden
Enterprise Edition: 10.20
MailEnable-Ian wrote:Hi,

Ensure you running 10.20 as there were fixes to the SNI functionality.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Multiple SSL Certificates

Post by MailEnable-Ian »

Hi,

Ok so what is the exact error in Outlook when you send/receive? It shouldn't fail to connect and should only return a trust warning if the SSL certificate does not match to host name, therefore there is something else wrong. Perhaps you have not set the relevant permissions on the SSL certificates for the MailEnable service accounts. Please see: http://www.mailenable.com/kb/content/ar ... D=ME020479

Also please be aware that SNI will not work with wildcard SSL certificates.
Regards,

Ian Margarone
MailEnable Support

listvan
Posts: 16
Joined: Tue May 01, 2012 10:37 am

Re: Multiple SSL Certificates

Post by listvan »

Back to the topic,

I have some updates but I still facing some difficulties to configure.
Due to the reason that "SNI will not work with wildcard SSL certificates" I decided to get 3 more public Ip addresses and bind it separately.

1. Ip 87.230.58.24 is pointed to .mail.bungalow.eu added the right postoffice and SSL certificate. It works fine in outlook.
2 IP 87.230.58.162 pointed to mail.resortnet.nl added the right postoffice ..and selected the SSL certificate ...does not work in outlook it fails by the test account settings. But In the moment when I change the port without encryption normal 143 port for Imap and 25 for Smtp the test works.

I hope somebody can help ...it`s getting to have more difficult using and configuring certificates.
We really need to add for each domain separately their own certificate and we prefer to use SSL/TLS encrypted connection in outlook.

We will have to solve this issue asap.
Thank you in advance,

Istvan Lokodi
Bungalow.Net
Attachments
Capture3.JPG
Capture3.JPG (60.66 KiB) Viewed 62580 times
Capture2.JPG
Capture2.JPG (60.34 KiB) Viewed 62580 times
Capture.JPG
Capture.JPG (22.65 KiB) Viewed 62580 times

StefanAlbrecht
Posts: 2
Joined: Mon Sep 23, 2019 12:07 pm

Re: Multiple SSL Certificates

Post by StefanAlbrecht »

Hi Jan,


My client has this error code 0x800CCC0F. He checked: DNS resolution is working. What else may be blocking connectivity?

Thanks,
Stefan

Post Reply