Setting up a proper SSL cert for webmail

[waterman34]

Hi all

Up until now we've relied on the built-in, self-generated ssl certificate but we now want to setup a real one for users to access their webmail securely. It seems that a number of clients are having problems accessing their webmail using the self-generated certificate from 3rd party locations because I think in some circumstances the security settings don't allow it (such as from cyber cafe's etc).

My question before I start is regarding the address that the SSL certificate will use, although each customer has 'http://webmail.domain.com, this actually goes to the following address of https://200.00.000.000:1000/_index, presumably this should be the address used for the ssl certificate can someone answer?

[Code Crafters]

The common name of the certificate needs to match the domain by which you are accessing the WebMail really, not including the https:// or :1000/_index parts of course. Usually its best to ask the Certificate Authority for help with what settings to use if they are different to ours but mainly it will be similar to our built in one and must be an RSA MD5 encrypted certificate or equivalent for compatibility. Any others may possibly not work with the current version so make sure you get the right one.

[agh3]

One issue with SSL certificates are that they're issued to a specific host name. (i.e. mail.domain.com) You can't assign multiple certificates to different mail domains in a single AMS as of yet (I think that's on the wishlist..and I would love it myself!)


All your clients would need to go to https://mail.domain.com/_index and then login with their unique logins.

You can't have 1 certificate that supports the following domains on 1server:

https://mail.domain1.com
https://mail.domain2.com
https://mail.domain3.com


You also cannot issue an SSL certificate for an IP address. They're based on hostnames. I recommend DigiCert as their support is really great. Here's their tutorial on Certificate creation: http://www.digicert.com/csr-creation.htm

[Code Crafters]

Yes, unfortunately certificates are for a single domain which would require you to connect via that domain for them to work correctly. We are planning on adding certificate chains support soon which may allow for a multi-chained certificate for several domains to get round this problem. If not, we are planning to eventually add support for an SSL certificate per domain and/or IP but I can't promise when this will be as it's quite a major update.

[agh3]

Hi Chris,
Bump on this...any idea on it A3 will support Subject Alternate Name (SAN) or UCC certificates? Those are the great new thing so that you *can* embed multiple hostname/multiple domain names in the certificate and the browsers/servers will accept them.

[Code Crafters]

We are very busy at the moment working on Ability Mail Server 3 and a new FTP client simultaneously. However, I have added your suggestions to our massive to-do list and will see if this can be pushed into one of our minor maintenance updates the next of which will probably be in 2-3 months time. I can't promise it will be in the next update but support for multiple domain access to SSL certificates is something we are definitely planning to add when we can.