SSL certificates are used to verify that ISMail EP has been certified to use SSL/TLS security with mail clients and other mail servers. Commercial SSL certificates may be obtained from SSL certificate resellers.

Important Note: SSL/TLS encryption requires that an IP address be assigned to a domain in order to properly use a certificate. The IP address must be a legitimate, internet address and not a LAN IP address unless the server is to be used only for internal LAN access.

SSL Certificates

An SSL certificate states that a domain has been certified to use SSL. SSL certificates may be obtained from a SSL certificate reseller. To obtain an SSL certificate, a 'CSR' (Certificate Signing Request) file must be created and supplied to the SSL certificate reseller. When a CSR is created, a private key file is also generated. Although the CSR does not contain sensitive material, the private key must be kept secure and never given to anyone. The directory containing the private key should have permissions set to restrict access only to system administrators.

Once an SSL certificate has been received, it should be copied to the certificate directory and named as my'domain.com.crt' where 'domain.com' is the domain name in the certificate and '.crt' is the filename extension.

Note: the ISMail-Webmail plugin, containing the ISMail EP web server, must be installed prior to creating CSRs or installing SSL certificates.

The CSR directory is:

• C:\Program Files\InstantServers\ISMail\Apache\conf\ssl.csr

The SSL certificate directory is:

• C:\Program Files\InstantServers\ISMail\Apache\conf\ssl.crt

The SSL certificate private key directory is:

• C:\Program Files\InstantServers\ISMail\Apache\conf\ssl.key

Creating a CSR (Certificate Signing Request) and Certificate Private Key

A CSR and private key may be created using the ISMail EP web-based adminstrator. CSRs may also be viewed using the administrator.

Note: to create and view CSRs manually from a DOS command window, see 'CSRs and SSL Certificates: Manual Control'.

To create a CSR:

• On the mail server, access: http://127.0.0.1/admin_mail
• Login to the ISMail Manager
• Open the 'Mail Servers' folder
• Select the 'SSL Certificates' link
• Under 'SSL Certificate Signing Requests (CSR)', click 'New'
• Enter values in all of the CSR fields
• Click 'Save'

To view a CSR:

• On the mail server, access: http://127.0.0.1/admin_mail
• Login to the ISMail Manager
• Open the 'Mail Servers' folder
• Select the 'SSL Certificates' link
• Under 'SSL Certificate Signing Requests (CSR)', click 'View' next to the domain name

Obtaining an SSL Certificate

An SSL certificate may be obtained from any authorized SSL certificate reseller. The CSR file generated above must be supplied when requesting an SSL certificate.

Note: The private key file should not be supplied to the certificate reseller.

Installing an SSL Certificate

To install an SSL certificate, copy the certificate file to the certificate directory and rename it as 'mydomain.com.crt' where 'mydomain.com' is the domain name in the certificate and '.crt' is the filename extension.

Then, setup the SMTP, POP, IMAP, and Web servers to use the certificate as described below.

Viewing SSL Certificates

SSL certificates may be viewed from the ISMail EP web-based administrator.

Note: To view SSL certificates and CSRs manually using DOS command line tools, see 'CSRs and SSL Certificates: Manual Control'.

To view certificates:

• On the mail server, access: http://127.0.0.1/admin_mail
• Login to the ISMail Manager
• Open the 'Mail Servers' folder
• Select the 'SSL Certificates' link
• Click 'View' next to any certificate name

SMTP Server

The SMTP server may be setup to use TLS over the standard SMTP port. Secure operation may be used for incoming, outgoing, or both incoming and outgoing messages. Note that the email client or remote SMTP server must also use TLS for secure connections to occur.

To enable the SMTP server to use TLS on incoming connections:

• Open the Win32 ISMail Manager
• Open the SSL/TLS configuration tab
• In the 'SSL/TLS' box, check the SMTP 'Incoming' checkbox
• Click Apply

To enable the SMTP server to use TLS for outgoing connections:

• Open the Win32 ISMail Manager
• Open the SSL/TLS configuration tab
• In the 'SSL/TLS' box, check the SMTP 'Outgoing' checkbox
• Click Apply

In addition to verifying SSL certificate parameters, the server may be setup to verify certificate domain names and to use a domain name when establishing a secure connection.

To setup the SMTP server to send domain names with TLS:

• Open the Win32 ISMail Manager
• Open the SSL/TLS configuration tab
• In the 'SMTP Options' box, check the 'Use STARTTLS Domains' checkbox
• Click Apply

To setup the SMTP server to verify certificate domain names:

• Open the Win32 ISMail Manager
• Open the SSL/TLS configuration tab
• In the 'SMTP Options' box, check the 'Verify Certificate Domain' checkbox
• Click Apply

POP Server

The POP server may be configured to use SSL on a dedicated port (995), and to use TLS on the standard POP port (110).

To setup the POP server for SSL/TLS:

• Open the Win32 ISMail Manager
• Open the SSL/TLS configuration tab
• In the 'SSL/TLS' box, check the POP 'Incoming' checkbox
• Click Apply

IMAP Server

The IMAP server may be configured to use SSL on a dedicated port (993), and to use TLS on the standard IMAP port (143).

To setup the IMAP server for SSL/TLS:

• Open the Win32 ISMail Manager
• Open the SSL/TLS configuration tab
• In the 'SSL/TLS' box, check the IMAP 'Incoming' checkbox
• Click Apply

CSRs and SSL Certificates: Manual Control

A CSR and private key may be created manually using a DOS command line window and command line tools. CSRs and SSL certificates may also be viewed manually.

To create a CSR and private key manually:

• Open a DOS command window
• cd c:\program files\instantservers\ismail\apache\install
• spp2k.bat (this will set the PATH environment variable)
• openssl req -newkey rsa:1024 -keyout req.key -keyform PEM -out req.pem -outform PEM -nodes

Enter the information requested in each field. If you make a mistake, the program may be exited by hitting Control-C several times and then re-started.

To view a CSR manually:

• Open a DOS command window
• cd c:\program files\instantservers\ismail\apache\install
• spp2k.bat (this will set the PATH environment variable)
• openssl req -in req.pem -text -noout

To view a certificate manually:

• Open a DOS command window
• cd c:\program files\instantservers\ismail\apache\install
• spp2k.bat (this will set the PATH environment variable)
• openssl x509 -in mydomain.com.crt -text -noout

CSR Details:

A 'PEM pass phrase' is NOT recommended since using one would require the server to be manually started.

The 'Country Name' is always a 2-letter code (e.g. US or CA).

The 'State or Province Name' is the name of the state or province of the company or organization (e.g. California).

The 'Locality Name' is the name of the city of the company or organization (e.g. Mountain View).

The 'Organization Name' should be the name of the company (e.g. InstantServers, Inc.).

The 'Organizational Unit Name' may be left blank.

The 'Common Name' should be the name of the domain (generally WITHOUT any 'mail' or 'www' prefix) (e.g. instantservers.com).

The 'Email Address' should be the mail account of the server administrator.

Private Key:

The file 'req.key' is the private key. Move this file to the private key directory and rename it as 'mydomain.com.key' where 'mydomain.com' is the domain name used for the CSR (the 'Common Name' field). The private key directory should have permissions set torestrict access only to system administrators.

The file 'req.pem' is the CSR. This file will be used to obtain an SSL certificate. when requesting an SSL certificate.